Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.
AnalysisAI
Authenticated users can hijack arbitrary team workspaces in Genealogy PHP application versions before 5.9.1 through broken access control, enabling complete takeover of genealogy data belonging to other users. The vulnerability requires only low-privilege authentication (PR:L) with network access (AV:N) and low attack complexity (AC:L), allowing any authenticated user to transfer ownership of non-personal teams to themselves. No public exploit code has been identified at time of analysis, though the straightforward access control flaw and detailed GitHub security advisory make exploitation highly feasible for authenticated attackers.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a class of access control flaws where the application fails to properly verify that authenticated users have permission to perform privileged actions. In the Genealogy PHP application's team management functionality, the ownership transfer mechanism lacks proper authorization checks to validate that the requesting user has rights to modify team ownership. This allows any authenticated user-regardless of their role or relationship to a team-to invoke ownership transfer operations on teams they should not control. The scope change indicator (S:C) in the CVSS vector suggests the vulnerability enables crossing security boundaries, as attackers can pivot from their own user context to gain control over other users' isolated team workspaces. PHP applications commonly implement role-based access control through session management and database queries; this flaw indicates missing or improperly implemented permission validation before executing ownership modification database operations.
RemediationAI
Upgrade the Genealogy PHP application to version 5.9.1 or later, which contains the vendor-released patch addressing the broken access control vulnerability. Administrators should deploy this update immediately to all production instances. The fix is available through the official GitHub repository at https://github.com/MGeurts/genealogy, with detailed security advisory information at https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4. Following upgrade, conduct an audit of team ownership records to identify any unauthorized ownership transfers that may have occurred while systems were vulnerable, as historical exploitation could persist through compromised team structures. Review application access logs for unusual team modification activity prior to patching. As an interim measure before patching, consider restricting authenticated user access or disabling team management functionality if operationally feasible, though upgrading to 5.9.1 remains the only complete remediation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19865