Which versions of Gibbon are affected by CVE-2026-8207?

CVE-2026-8207 is a SQL injection vulnerability in Gibbon education platform versions before v30.0.01 that allows authenticated teachers to execute arbitrary database queries through the…. A patch is available.

Is there a public PoC exploit available for CVE-2026-8207?

Yes, a public proof-of-concept exploit is available for CVE-2026-8207. Prioritise patching immediately. EPSS: 0.0%.

Gibbon CVE-2026-8207

Q: What is the CVSS score of CVE-2026-8207?

CVE-2026-8207 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-28880 HIGH

SQL Injection (CWE-89)

2026-05-09 PRJBLK

GHSA-jhg5-9w7p-xm6m

PHP SQLi

7.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 09, 2026 - 04:31 EUVD

Source Code Evidence Fetched

May 09, 2026 - 03:30 vuln.today

Analysis Generated

May 09, 2026 - 03:30 vuln.today

CVSS changed

May 09, 2026 - 03:22 NVD

7.0 (HIGH)

CVE Published

May 09, 2026 - 02:41 nvd

HIGH 7.0

DescriptionNVD

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.

AnalysisAI

SQL injection in Gibbon education platform versions prior to v30.0.01 enables authenticated users with Teacher privileges or higher to execute arbitrary SQL queries through the Tracking/graphing module. Exploitation allows unauthorized read and write access to the underlying database. …

RemediationAI

Within 24 hours: Identify all Gibbon installations and confirm versions; disable or restrict access to the Tracking/graphing module for all non-administrative teacher accounts pending remediation. Within 7 days: audit logs for suspicious SQL activity; review active teacher accounts and revoke unnecessary privileges; test upgrade path to v30.0.01 or later in a non-production environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8207 vulnerability details – vuln.today

Back

Gibbon CVE-2026-8207

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Gibbon CVE-2026-8207

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code