CVE-2026-8207 PUBLISHED

Assigner: PRJBLK
Reserved: 09.05.2026 Published: 09.05.2026 Updated: 09.05.2026

Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7

Product Status

Vendor gibbonedu
Product gibbon
Versions Default: unaffected
  • affected from 0 to 30.0.01 (excl.)

References

Problem Types

  • CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection') CWE

Impacts

  • CAPEC-66 SQL Injection