Local File Inclusion Vulnerability in Gibbon by GibbonEdu
CVE-2026-8208

8.9HIGH

Key Information:

Vendor: Gibbonedu
Status: Gibbon
Vendor: CVE Published:; 9 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-8208?

Gibbon is affected by a local file inclusion issue that permits remote code execution (RCE). This vulnerability allows users with Teacher privileges or higher to manipulate the report archive directory, leading to the execution of a user-supplied .zip file as PHP code. Exploiting this flaw may result in a complete compromise of the web server hosting the Gibbon application, making it critical for users to upgrade to version 30.0.01 or later.

Affected Version(s)

gibbon 0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-8208 - Proof of Concept

References

https://projectblack.io/blog/gibbon-v30-authenticated-sql...

exploit

https://github.com/GibbonEdu/core/releases/tag/v30.0.01

vendor-advisory

CVSS V4

Score:

8.9

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 9, 2026
👾
Exploit known to exist
May 9, 2026
Vulnerability published
May 9, 2026
Vulnerability Reserved
May 9, 2026

CVE-2026-8208 Data

JSON

Gibbonedu

Badges

What is CVE-2026-8208?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline