Gibbon versions before v30.0.01 are affected by a local file inclusion vulnerability resulting in RCE by changing the report archive directory and forcing interpretation of a user provided .zip as PHP. Successful exploitation requires Teacher or higher privileges. Exploitation could result in compromise of the underlying web server.
{
"cna_assigner": "PRJBLK",
"cwe_ids": [
"CWE-98"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8208.json"
}{
"source": [
"AFFECTED_FIELD",
"DESCRIPTION",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "30.0.01"
},
{
"fixed": "v30.0.01"
}
]
}