PatchSiren cyber security CVE debrief
CVE-2026-8207 Projectblack CVE debrief
CVE-2026-8207 is an authenticated SQL injection issue in Gibbon versions before v30.0.01. The flaw is triggered through the Tracking/graphing feature and requires Teacher or higher privileges. If exploited, it could allow unintended read and write activity against the underlying database.
- Vendor
- Projectblack
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-09
- Original CVE updated
- 2026-05-09
- Advisory published
- 2026-05-09
- Advisory updated
- 2026-05-09
Who should care
Administrators and security teams responsible for Gibbon deployments, especially schools or organizations that grant Teacher-level or higher accounts. Any environment still running a version earlier than v30.0.01 should treat this as a priority update.
Technical summary
According to the CVE description, the vulnerable path is the Tracking/graphing functionality in modules/Tracking/graphing.php. The weakness is classified as CWE-89 (SQL Injection). The attacker must already be authenticated and hold Teacher or higher privileges, which lowers exposure to anonymous attackers but still leaves privileged accounts able to manipulate database queries. The source references the v30.0.01 release as the fix point.
Defensive priority
High. Although exploitation requires authentication and elevated application privileges, successful SQL injection can affect confidentiality and integrity of the application database. Prioritize patching if Teacher-or-higher accounts are present or if the Tracking/graphing feature is enabled in production.
Recommended defensive actions
- Upgrade Gibbon to v30.0.01 or later.
- Review whether any Teacher-level or higher accounts are unnecessary and remove or disable them.
- Audit use of the Tracking/graphing feature and restrict access to the minimum set of trusted users.
- Monitor application and database logs for unusual query patterns or unexpected data access around the Tracking/graphing path.
- Validate that backups are current before and after upgrading, so database recovery is available if abuse is suspected.
Evidence notes
The CVE record states that Gibbon versions before v30.0.01 are affected and that exploitation requires Teacher or higher privileges. The NVD record lists CWE-89 and references both the GibbonEdu/core v30.0.01 release tag and a ProjectBlack write-up. The source metadata contains a vendor field of "Projectblack", but the vulnerability description and release reference point to Gibbon/GibbonEdu core, so that vendor field should be treated as low-confidence and needs review.
Official resources
-
CVE-2026-8207 CVE record
CVE.org
-
CVE-2026-8207 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a
-
Source reference
ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a
Publicly disclosed on 2026-05-09, with the CVE and source record both showing the same published and modified timestamp.