CVE-2026-8208

N/A Unknown
Published: May 09, 2026 Modified: May 12, 2026
View on NVD

Description

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/GibbonEdu/core/releases/tag/v30.0.01
Source: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a
https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing
Source: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
N/A / 10.0
EPSS (Exploit Probability)
0.3%
24th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-98

Related CVEs

CVE-2026-12243 7.5
CVE-2026-8023 7.5
CVE-2026-7656 8.1
CVE-2026-51219 N/A
CVE-2026-51218 N/A