Description
Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.
Published: 2026-05-09
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Gibbon versions prior to v30.0.01, the Tracking/graphing module contains an authenticated SQL injection flaw. An attacker with Teacher or higher privileges can inject arbitrary SQL code, enabling unintended read or write operations against the underlying database. This is a classic input validation weakness classified as CWE-89.

Affected Systems

Affected installations of Gibbon running any version earlier than 30.0.01. Exploitation requires authentication as a Teacher role or higher; no unauthenticated access is possible.

Risk and Exploitability

The CVSS score of 7 indicates high severity. EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting no publicly confirmed exploits. Attackers must first gain or compromise a Teacher or higher account; within that privilege scope, the flaw allows direct manipulation of data, presenting a high risk if teacher accounts are weak or poorly protected.

Generated by OpenCVE AI on May 9, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gibbon to version 30.0.01 or later
  • Limit Teacher and higher privileges to only those users who require database write permissions
  • Enforce strong password policies and monitor teacher account activity

Generated by OpenCVE AI on May 9, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authenticated SQL Injection in Gibbon Tracking/Graphing Module Allowing Data Read/Write
First Time appeared Gibbonedu
Gibbonedu gibbon
Vendors & Products Gibbonedu
Gibbonedu gibbon

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gibbonedu Gibbon
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-05-09T02:41:46.505Z

Reserved: 2026-05-09T02:33:22.106Z

Link: CVE-2026-8207

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T03:16:16.227

Modified: 2026-05-09T03:16:16.227

Link: CVE-2026-8207

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:15:06Z

Weaknesses