Home / Vulnerability Intelligence / CVE-2026-39355

CVE-2026-39355 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 8, 2026

Genealogy - Broken Access Control

Published: April 7, 2026Updated: April 8, 2026Remote Exploitable

Overview

Genealogy < 5.9.1 contains a broken access control vulnerability caused by improper authorization checks in team ownership transfer, letting authenticated users take over arbitrary non-personal teams, exploit requires user authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 3.9%(Probability of exploitation in next 30 days)

Impact

Authenticated users can take over other users' teams, gaining unrestricted access to all associated genealogy data.

Mitigation

Upgrade to version 5.9.1 or later.

References

https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 8, 2026

🔴 CVE-2026-39355 - Critical (9.9) Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-39355/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-39355
Severity: Critical
CVSS Score: 9.9
Type: broken_access_control
Status: unconfirmed
EPSS: 3.9%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.9%Probability of exploitation in the next 30 days