EUVD-2026-19865CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
Analysis
Authenticated users can hijack arbitrary team workspaces in Genealogy PHP application versions before 5.9.1 through broken access control, enabling complete takeover of genealogy data belonging to other users. The vulnerability requires only low-privilege authentication (PR:L) with network access (AV:N) and low attack complexity (AC:L), allowing any authenticated user to transfer ownership of non-personal teams to themselves. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Genealogy PHP deployments and identify instances running versions before 5.9.1; restrict network access to the application to trusted IP ranges only and disable external access if operationally feasible. Within 7 days: Implement role-based access control (RBAC) validation in custom middleware to prevent low-privilege users from modifying team ownership; audit all team ownership changes in the past 90 days for unauthorized transfers. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today