CVE-2026-8208
Local File Inclusion RCE in Gibbon LMS
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gibbon | core | to 30.0.01 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not explicitly address how the local file inclusion vulnerability in Gibbon affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability affects Gibbon versions before v30.0.01 and is a local file inclusion (LFI) flaw that can lead to remote code execution (RCE). It occurs by changing the report archive directory and forcing the system to interpret a user-provided .zip file as PHP code. Successful exploitation requires the attacker to have Teacher or higher privileges within the system.
The vulnerability allows an attacker to upload ZIP files containing malicious PHP code disguised as other file types. When these files are extracted and accessed through predictable paths, the attacker can execute arbitrary code on the underlying web server.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to compromise of the underlying web server hosting the Gibbon application. An attacker with Teacher or higher privileges could execute arbitrary code remotely, potentially gaining control over the server.
This could result in unauthorized access to sensitive data, disruption of services, and further attacks on the network or connected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying attempts to exploit the local file inclusion (LFI) and remote code execution (RCE) via the report archive directory in Gibbon versions before v30.0.01. Since exploitation requires Teacher or higher privileges, monitoring authenticated user actions related to report archiving and ZIP file uploads is critical.
Network or system detection can include:
- Monitoring web server logs for unusual requests involving ZIP file uploads or access to report archive directories.
- Checking for unexpected PHP file executions originating from user-uploaded ZIP archives.
- Using commands to search for recently modified or created PHP files in the report archive directory, for example:
- find /path/to/gibbon/report/archive -name '*.php' -mtime -7
- Reviewing user activity logs for Teacher or higher privilege accounts performing report archive operations.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Gibbon to version 30.0.01 or later, where this vulnerability has been addressed.
Additional mitigation steps include:
- Restricting Teacher or higher privilege accounts to trusted users only.
- Monitoring and limiting file uploads, especially ZIP files, to prevent malicious PHP code execution.
- Applying strict input validation and sanitization on report archive features if custom patches or interim fixes are applied.
- Raising awareness among administrators to watch for suspicious activity related to report archiving.