CVE-2026-8207

Vulnerability

Overview

Gibbon versions prior to v30.0.01 contain an authenticated SQL injection vulnerability in the Tracking/graphing.php module. The flaw stems from unsafe handling of user-supplied input in a SQL query that constructs at line [1] of the source code. Specifically, the $dataType variable — which must be either 'attainment' or 'effort' — is directly concatenated into a dynamic SQL string without parameterization or proper sanitization [1]. This pattern of string interpolation and concatenation in the query leaves the application open to injection attacks.

Exploitation

Prerequisites

Exploitation requires Teacher or higher privileges, as the vulnerable code path only reachable when the user is authenticated and the $dataType parameter is set to 'attainment' or 'effort' [1]. An attacker with such access submit crafted POST parameters (gibbonPersonIDs, gibbonDepartmentIDs, and dataType) to trigger the injection [1]. No additional authentication bypass is required because the attacker already holds a valid account with sufficient permissions.

Potential

Impact

If successfully exploited, this vulnerability allows an attacker to perform unintended read and write operations on the underlying database [1]. Depending on the database permissions and the overall application architecture, this could lead to unauthorized access to sensitive school data (e.g., student records, grades, personal information) or compromise the integrity of the database (e.g., modifying grades, deleting records). The advisory notes that this injection could be chained with other vulnerabilities to achieve remote code execution (RCE) [1].

Mitigation

The vulnerability is addressed in Gibbon release v30.0.01 [2]. Administrators are strongly encouraged to upgrade to v30.0.01 or later to eliminate the SQL injection. The release notes credit Nikolai Makaroff at Project Black Security Services for identifying the issue [2]. No other workarounds are documented; upgrading is the recommended path.