QwikSec

Security Database

CVE

CWE

Training

CVE-2026-8208

Published: May 9, 2026

Modified: May 11, 2026

PUBLISHED

Description

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

Vendor	Product	Versions
gibbonedu	gibbon	affected `0 - < 30.0.01`

Weaknesses (CWE)

References

https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#local-file-inclusionthe-next-shiny-new-thing

exploit

https://github.com/GibbonEdu/core/releases/tag/v30.0.01

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.