What is the CVSS score of CVE-2026-27736?

CVE-2026-27736 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Open Redirect are affected by CVE-2026-27736?

Organizations using versions on the 3.x branch should be aware of moderate risk from CVE-2026-27736 rated CVSS 6.1. Exploitation could compromise the security of affected deployments.. A patch is available.

Open Redirect CVE-2026-27736

MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-02-25 security-advisories@github.com

Open Redirect Bigbluebutton

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Mar 05, 2026 - 18:26 nvd

Patch available

CVE Published

Feb 25, 2026 - 17:25 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

AnalysisAI

Bigbluebutton versions up to 3.0.20 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	CVSS 6.1 (MEDIUM). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this flaw, an Open Redirect vulnerability.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running versions on the 3.x branch and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53523 MEDIUM This Month

6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-9679 MEDIUM This Month

5.9 Jun 17

HTTP response header injection in undici's cookie parser exposes proxy, middleware, and SSR framework applications to se

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month