CVE-2026-8208

Summary

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

Affected Software

VendorProductVersion RangeStatus
gibbonedugibbon0 < 30.0.01affected

Weaknesses

  • CWE-98: CWE-98 Improper control of filename for Include/Require statement in PHP program ('PHP remote file inclusion')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References