Description
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
Published: 2026-05-09
Score: 8.9 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw that allows a teacher or higher privileged user to change the report archive directory and force the web server to treat a user‑supplied .zip file as PHP code, resulting in remote code execution on the host. This flaw directly compromises the underlying web server and any services it runs.

Affected Systems

The affected product is Gibbon, an education management system from GibbonEdu. Versions prior to v30.0.01 are impacted. An attacker must be logged in with Teacher or higher privileges to exploit the flaw.

Risk and Exploitability

With a CVSS score of 8.9, the flaw is high severity. No EPSS data is available and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be an authenticated local exploit via the web interface, but once executed the attacker can run arbitrary code on the server. The lack of a publicly available exploit routine and the requirement for authenticated access lowers external exploitation probability, yet the potential impact remains critical.

Generated by OpenCVE AI on May 9, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gibbon to version v30.0.01 or later.
  • Configure the web server so that .zip files are not parsed as PHP and enforce strict file type validation.
  • Restrict write permissions on the report archive directory to prevent unauthorized directory manipulation.

Generated by OpenCVE AI on May 9, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Gibbonedu
Gibbonedu gibbon
Vendors & Products Gibbonedu
Gibbonedu gibbon

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Local File Inclusion Leading to Remote Code Execution via Misconfigured Archive Directory in Gibbon

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
Weaknesses CWE-98
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Gibbonedu Gibbon
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-05-09T02:59:32.518Z

Reserved: 2026-05-09T02:47:18.032Z

Link: CVE-2026-8208

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:27.287

Modified: 2026-05-09T04:16:27.287

Link: CVE-2026-8208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T07:30:27Z

Weaknesses