Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.
AnalysisAI
SQL injection in Gibbon education platform versions prior to v30.0.01 enables authenticated users with Teacher privileges or higher to execute arbitrary SQL queries through the Tracking/graphing module. Exploitation allows unauthorized read and write access to the underlying database. Project Black Security Services has published detailed exploit documentation demonstrating the attack. While vendor release notes classify this as 'low severity, accessible to admin users only,' the CVSS 7.0 score and authenticated Teacher-level access requirement indicate moderate risk for multi-tenant or compromised-account scenarios.
Technical ContextAI
Gibbon is an open-source school management platform written in PHP. The vulnerability exists in the Tracking/graphing.php module at line 145, where user-supplied input is incorporated into SQL queries without proper sanitization or parameterized statements. This is a classic CWE-89 SQL injection flaw - the database interprets attacker-controlled data as executable SQL code rather than safe data. The affected component handles student tracking and data visualization features, requiring authenticated session state and Teacher role permissions enforced by Gibbon's role-based access control. The CPE identifier cpe:2.3:a:gibbonedu:gibbon confirms GibbonEdu's core product as the sole affected target, with all versions before v30.0.01 vulnerable.
RemediationAI
Upgrade to Gibbon v30.0.01 or later immediately. The patched release is available at https://github.com/GibbonEdu/core/releases/tag/v30.0.01 and directly addresses the SQL injection flaw in the Tracking/graphing module. Note that v30 minimum requirements are PHP 8.0 and MySQL 8.0, so infrastructure upgrades may be necessary before applying the patch. If immediate upgrade is not feasible, implement compensating controls: restrict access to the Tracking/graphing module by disabling it in module permissions for Teacher roles (retain access only for System Administrators who require the functionality), enable MySQL query logging to detect injection attempts, and implement web application firewall rules to block SQL metacharacters in Tracking module requests. These workarounds reduce attack surface but do not eliminate the vulnerability - upgrading remains the definitive fix. Review database access logs for suspicious queries executed by application database accounts between initial deployment and patch application to identify potential historical exploitation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28880
GHSA-jhg5-9w7p-xm6m