Description
Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges. Exploitation could result in loss of availability of the web application.
Published: 2026-05-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in Gibbon allows a user with Teacher or higher privileges to direct the application to extract PHP files from a zip archive. The extraction repeatedly fails, triggering deletion of the targeted file and ultimately causing the web application to become unavailable. The weakness is a classic directory traversal flaw (CWE‑23) and leads only to loss of availability, with no direct code execution or data disclosure.

Affected Systems

Gibbon by GibbonEdu, versions prior to v30.0.01 are affected. The vendor is GibbonEdu and the product is Gibbon.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. The EPSS score is not available, so the exact likelihood of exploitation in the wild is uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated Teacher or higher account and is carried out via a path traversal attack that deletes application files, leading to a denial‑of‑service condition. Because privileged users are required, the risk is confined to environments where such accounts are present, but once the deletion occurs the entire application cannot serve users until the missing files are restored.

Generated by OpenCVE AI on May 9, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to Gibbon v30.0.01 or later.
  • Restrict or disable zap/zip extraction functionality for Teacher accounts, or limit write permissions on the application root to prevent file deletion.
  • Enable file‑system auditing on the web application directory and configure alerts for abrupt file deletions or failed extraction attempts.

Generated by OpenCVE AI on May 9, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Path Traversal Exploit Causes Denial of Service in Gibbon
First Time appeared Gibbonedu
Gibbonedu gibbon
Vendors & Products Gibbonedu
Gibbonedu gibbon

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges. Exploitation could result in loss of availability of the web application.
Weaknesses CWE-23
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Gibbonedu Gibbon
cve-icon MITRE

Status: PUBLISHED

Assigner: PRJBLK

Published:

Updated: 2026-05-09T03:19:27.757Z

Reserved: 2026-05-09T03:01:00.284Z

Link: CVE-2026-8209

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T04:16:28.983

Modified: 2026-05-09T04:16:28.983

Link: CVE-2026-8209

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:30:16Z

Weaknesses