{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39355", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T21:29:17.349Z", "datePublished": "2026-04-07T18:56:06.385Z", "dateUpdated": "2026-04-08T18:10:34.141Z"}, "containers": {"cna": {"title": "Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4"}], "affected": [{"vendor": "MGeurts", "product": "genealogy", "versions": [{"version": "< 5.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:56:06.385Z"}, "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users\u2019 team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1."}], "source": {"advisory": "GHSA-2rq7-jqm7-w8x4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:10:30.678440Z", "id": "CVE-2026-39355", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:10:34.141Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39355", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T18:10:30.678440Z"}}}], "references": [{"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:10:24.750Z"}}], "cna": {"title": "Genealogy is Missing Authorization in `TeamController::transferOwnership()` Allows Any Authenticated User to Hijack Any Team (Broken Access Control)", "source": {"advisory": "GHSA-2rq7-jqm7-w8x4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MGeurts", "product": "genealogy", "versions": [{"status": "affected", "version": "< 5.9.1"}]}], "references": [{"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "name": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users\u2019 team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T18:56:06.385Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39355", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:10:34.141Z", "dateReserved": "2026-04-06T21:29:17.349Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T18:56:06.385Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*", "matchCriteriaId": "9493DF66-D714-40BF-B9E9-C861AD3DE26F", "versionEndExcluding": "5.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users\u2019 team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1."}], "id": "CVE-2026-39355", "lastModified": "2026-04-10T19:03:43.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-07T19:16:46.523", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.9.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "genealogy", "source": "cna", "vendor": "MGeurts"}, "product": "genealogy", "vendor": "mgeurts"}], "analysis": {"en": {"generated_at": "2026-04-10T20:30:02.586431+00:00", "value": {"mitigation_remediation": ["Upgrade Genealogy to version 5.9.1 or later."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation: Team Hijack"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MGeurts Genealogy application prior to version 5.9.1. Any authenticated user who can access the application can exploit the flaw, regardless of their role or the team\u2019s ownership status.", "description_and_impact": "Genealogy, a family tree PHP application, contains a critical broken access control flaw in the TeamController::transferOwnership method that allows any authenticated user to transfer ownership of non-personal teams to themselves. This flaw permits a user to take over another user\u2019s team workspace and gain unrestricted access to all genealogy data tied to the compromised team. The vulnerability is classified as CWE-862 (Broken Access Control).", "risk_and_exploitability": "The CVSS score of 10 indicates that an attacker could fully compromise a team\u2019s data and functionality. The EPSS score of less than 1% suggests that while the vulnerability is severe, current evidence of exploitation is low, possibly due to a narrow window before the patch. It is not currently listed in CISA\u2019s KEV catalog. The likely attack vector is an authenticated web request to the transferOwnership endpoint; therefore, any legitimate user with a valid session can trigger the exploit if no additional safeguards are in place."}}}}, "created": "2026-04-08T19:34:53.255359+00:00", "updated": "2026-04-13T14:26:20.329183+00:00", "vendors": ["mgeurts", "mgeurts$PRODUCT$genealogy"]}