Skip to main content

Gibbon CVE-2026-8207

| EUVDEUVD-2026-28880 HIGH
SQL Injection (CWE-89)
2026-05-09 PRJBLK GHSA-jhg5-9w7p-xm6m
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 09, 2026 - 04:31 EUVD
Source Code Evidence Fetched
May 09, 2026 - 03:30 vuln.today
Analysis Generated
May 09, 2026 - 03:30 vuln.today
CVSS changed
May 09, 2026 - 03:22 NVD
7.0 (HIGH)
CVE Published
May 09, 2026 - 02:41 nvd
HIGH 7.0

DescriptionCVE.org

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.

AnalysisAI

SQL injection in Gibbon education platform versions prior to v30.0.01 enables authenticated users with Teacher privileges or higher to execute arbitrary SQL queries through the Tracking/graphing module. Exploitation allows unauthorized read and write access to the underlying database. Project Black Security Services has published detailed exploit documentation demonstrating the attack. While vendor release notes classify this as 'low severity, accessible to admin users only,' the CVSS 7.0 score and authenticated Teacher-level access requirement indicate moderate risk for multi-tenant or compromised-account scenarios.

Technical ContextAI

Gibbon is an open-source school management platform written in PHP. The vulnerability exists in the Tracking/graphing.php module at line 145, where user-supplied input is incorporated into SQL queries without proper sanitization or parameterized statements. This is a classic CWE-89 SQL injection flaw - the database interprets attacker-controlled data as executable SQL code rather than safe data. The affected component handles student tracking and data visualization features, requiring authenticated session state and Teacher role permissions enforced by Gibbon's role-based access control. The CPE identifier cpe:2.3:a:gibbonedu:gibbon confirms GibbonEdu's core product as the sole affected target, with all versions before v30.0.01 vulnerable.

RemediationAI

Upgrade to Gibbon v30.0.01 or later immediately. The patched release is available at https://github.com/GibbonEdu/core/releases/tag/v30.0.01 and directly addresses the SQL injection flaw in the Tracking/graphing module. Note that v30 minimum requirements are PHP 8.0 and MySQL 8.0, so infrastructure upgrades may be necessary before applying the patch. If immediate upgrade is not feasible, implement compensating controls: restrict access to the Tracking/graphing module by disabling it in module permissions for Teacher roles (retain access only for System Administrators who require the functionality), enable MySQL query logging to detect injection attempts, and implement web application firewall rules to block SQL metacharacters in Tracking module requests. These workarounds reduce attack surface but do not eliminate the vulnerability - upgrading remains the definitive fix. Review database access logs for suspicious queries executed by application database accounts between initial deployment and patch application to identify potential historical exploitation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-8207 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy