CVE-2026-8208
Gibbon v30.0.00 Authenticated LFI Resulting in RCE
Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
https://www.cve.org/CVERecord?id=CVE-2026-8208
Gibbon v30.0.00: Authenticated SQL Injection and RCE
We go back to school to hunt down some SQL Injection, Local File Inclusion, and DoS in the Gibbon school management software.
Nikolai Makaroff