CVE-2026-39355
Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
12th
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other usersβ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
| CWE | CWE-862 |
| Vendor | mgeurts |
| Product | genealogy |
| Published | Apr 7, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for mgeurts genealogy
Be the first to know when new critical vulnerabilities affecting mgeurts genealogy are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
MGeurts / genealogy
< 5.9.1