What is CVE-2026-39355?

CVE-2026-39355 is a critical-severity vulnerability in Mgeurts Genealogy, classified under Missing Authorization. CVSS score: 10.0/10. Published 2026-04-07.

How severe is CVE-2026-39355?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Auth bypass in Mgeurts Genealogy

CVE-2026-39355

Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This…

Vulnerability class: Broken Access Control

EPSS: 0.001 (16.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Mgeurts Genealogy — versions < 5.9.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-39355?: CVE-2026-39355 is a critical-severity vulnerability in Mgeurts Genealogy, classified under Missing Authorization. CVSS score: 10.0/10. Published 2026-04-07.
How severe is CVE-2026-39355?: Critical severity. CVSS v3 base score is 10.0 out of 10.