CVE-2026-8207
Received Received - Intake
Authenticated SQL Injection in Gibbon Education Platform

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a

Description
Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145 feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8207
EUVD
EUVD-2026-28880
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gibbon core to 30.0.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8207 is an authenticated SQL Injection vulnerability in Gibbon versions before v30.0.01. It occurs in the Tracking/graphing feature, where user inputs are improperly validated and concatenated into SQL queries. Exploitation requires a user with Teacher or higher privileges. Successful exploitation allows an attacker to perform unintended read and write operations on the underlying database.

Impact Analysis

This vulnerability can allow an authenticated user with Teacher or higher privileges to manipulate the database through SQL injection. This could lead to unauthorized reading or modification of sensitive data stored in the database. Such actions might compromise data integrity, confidentiality, and availability within the Gibbon school management system.

Detection Guidance

Detection of this vulnerability involves identifying authenticated users with Teacher or higher privileges attempting to exploit the SQL injection in the Tracking/graphing feature of Gibbon versions before v30.0.01.

Since the vulnerability is an authenticated SQL injection, monitoring for unusual or unexpected SQL queries or database activity originating from the graphing module could help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Reviewing web server logs for suspicious POST or GET requests to the Tracking/graphing.php endpoint.
  • Using database query logging to detect anomalous or malformed SQL queries related to the graphing feature.
  • Employing web application firewalls (WAF) with rules to detect SQL injection patterns in authenticated sessions.
Compliance Impact

The vulnerability allows authenticated users with Teacher or higher privileges to perform SQL injection attacks, potentially leading to unintended read/write activities on the underlying database.

Such unauthorized database access and manipulation could result in exposure or alteration of sensitive personal data managed by the Gibbon school management system.

This risk of data compromise may impact compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and modification.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Gibbon to version 30.0.01 or later, where this vulnerability has been addressed.

Additional steps include:

  • Restricting or monitoring access to the Tracking/graphing feature to only trusted users with Teacher or higher privileges.
  • Implementing input validation and sanitization controls if possible, to prevent SQL injection.
  • Raising awareness among administrators about the vulnerability and encouraging prompt patching.

Note that the update to v30.0.01 also raises minimum system requirements to PHP 8.0 and MySQL 8.0, so ensure your environment meets these requirements before upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8207. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart