HIGH SeverityCVSS 4.08.9CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVE-2026-8208

Last updated May 09, 2026 · Published May 09, 2026

Description

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

Affected products

1 listed

gibbonedu:gibbon

Mappings

CWE

CWE-98

CAPEC

CAPEC-252

Research

Command injection: how it works and how to prevent itCommand injection happens when untrusted input reaches a shell or process spawn. Avoid the shell, pass…
Template InjectionExplains how untrusted input can be executed by template engines on server or client. Covers safe templating…
Path traversal: how to detect and prevent itPath traversal lets attackers read or write files outside intended directories. Normalise paths, resolve them…

Training

Injection TodaySQL, NoSQL, ORM, and LLM injection - what's changed and what hasn't.
Secure File HandlingUploads, storage, and serving files without opening the door to attackers.
Input Validation and Schema EnforcementValidate early, validate strictly - schemas, allowlists, and type-safe boundaries.

CVE-2026-8208

Description

Affected products

Mappings

Related