CVE-2026-8208

Published: Mag 09, 2026 Last Modified: Mag 09, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,9

Source: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

Attack Vector: network

Attack Complexity: high

Privileges Required: high

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Draft

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Confidentiality Availability

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: PHP

Technologies: Web Based, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/GibbonEdu/core/releases/tag/v30.0.01

https://projectblack.io/blog/gibbon-v30-authenticated-sql-i…

https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#lo…

CVE-2026-8208

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter