{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-8207","assignerOrgId":"ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a","state":"PUBLISHED","assignerShortName":"PRJBLK","dateReserved":"2026-05-09T02:33:22.106Z","datePublished":"2026-05-09T02:41:46.505Z","dateUpdated":"2026-05-11T14:42:39.387Z"},"containers":{"cna":{"providerMetadata":{"orgId":"ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a","shortName":"PRJBLK","dateUpdated":"2026-05-09T02:41:46.505Z"},"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-89","description":"CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]}],"affected":[{"vendor":"gibbonedu","product":"gibbon","versions":[{"status":"affected","version":"0","lessThan":"30.0.01","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Gibbon versions before v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the  Tracking/graphing https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145  feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database.","supportingMedia":[{"type":"text/html","base64":false,"value":"Gibbon versions before&nbsp;v30.0.01 are affected by an authenticated SQL Injection vulnerability by abusing the <a href=\"https://github.com/GibbonEdu/core/blob/c431e25fdc874adece5d2dc7e408e9aa2d1abadb/modules/Tracking/graphing.php#L145\">Tracking/graphing</a> feature. Successful exploitation requires Teacher or higher privileges. Exploitation could result in unintended read/write activities to the underlying database."}]}],"references":[{"url":"https://projectblack.io/blog/gibbon-v30-authenticated-sql-injection-and-rce/#sql-injectiongetting-warmed-up","tags":["exploit"]},{"url":"https://github.com/GibbonEdu/core/releases/tag/v30.0.01","tags":["vendor-advisory"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"LOW","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"HIGH","baseScore":7,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T14:42:30.688073Z","id":"CVE-2026-8207","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T14:42:39.387Z"}}]}}