CVE-2026-8208
published 2026-05-09CVE-2026-8208: Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing…
PriorityP349high8.9CVSS 4.0
AVNACHATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.7th percentile
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gibbonedu | gibbon | < 30.0.01 | 30.0.01 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
gibbonedu gibbon up to 30.0.0 filename control (EUVD-2026-28898)
vuldb·2026-05-09·CVSS 8.9
CVE-2026-8208 [HIGH] gibbonedu gibbon up to 30.0.0 filename control (EUVD-2026-28898)
A vulnerability, which was classified as problematic, was found in gibbonedu gibbon up to 30.0.0. This affects an unknown part. The manipulation results in improper control of filename for include/require statement in php program ('php remote file inclusion').
This vulnerability is cataloged as CVE-2026-8208. The attack may be launched remotely. There is no exploit available.
You should upgrade the affected component.
GHSA
GHSA-px5v-8vpf-hw32: Gibbon versions before v30
ghsa_unreviewed·2026-05-09
CVE-2026-8208 [HIGH] CWE-98 GHSA-px5v-8vpf-hw32: Gibbon versions before v30
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-09
Published