CVE-2026-8208

UNKNOWN 0.0

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

CWE	CWE-98
Vendor	gibbonedu
Product	gibbon
Published	May 9, 2026
Last Updated	May 9, 2026

Stay Ahead of the Next One

Get instant alerts for gibbonedu gibbon

Be the first to know when new unknown vulnerabilities affecting gibbonedu gibbon are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

gibbonedu / gibbon

0 < 30.0.01

References

NVD ↗ CVE.org ↗ EPSS Data ↗

projectblack.io: https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing github.com: https://github.com/GibbonEdu/core/releases/tag/v30.0.01