Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.
AnalysisAI
Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.
Technical ContextAI
The bbb-playback component is a React application that renders saved BigBlueButton session recordings. Three rendering paths were unsanitized: chat message text (src/components/chat/messages/user/text.js), reply-to message previews (src/components/chat/messages/reply/index.js), and shared notes (src/components/notes/index.js). All three used React's dangerouslySetInnerHTML prop, which explicitly bypasses React's built-in HTML escaping and passes content directly to the browser's innerHTML API. CWE-79 (Improper Neutralization of Input During Web Page Generation) - specifically stored XSS, as the payload persists in the recording data file and re-executes on each playback. The fix added DOMPurify 3.3.0 as a dependency and wrapped all dangerouslySetInnerHTML assignments with DOMPurify.sanitize(). Affected CPEs span three components: cpe:2.3:a:bigbluebutton:bigbluebutton:*, cpe:2.3:a:bigbluebutton:bbb-playback:*, and cpe:2.3:a:blindsidenetworks:scalite:*, indicating the vulnerability affects both standalone BigBlueButton deployments and enterprise Scalelite load-balanced clusters.
RemediationAI
Upgrade BigBlueButton to version 3.0.19 or later, available at https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19, which bundles bbb-playback v5.4.3 containing the DOMPurify 3.3.0 sanitization fix. Scalelite deployments must separately upgrade to v1.7.0 or later (https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0). Organizations maintaining a standalone bbb-playback deployment should update directly to v5.4.3, confirmed by the fix commit at https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1. If immediate patching is not possible, restrict recording playback access to authenticated and trusted users only by disabling public/unauthenticated recording share links - note this disrupts asynchronous access for external learners. As an additional compensating control, audit existing recordings for suspicious script tags or event-handler attributes in chat logs before exposing them post-patch. Patch versions 3.0.19 (BigBlueButton), 5.4.3 (bbb-playback), and 1.7.0 (Scalelite) are confirmed by vendor release artifacts.
More in Bigbluebutton
View allBigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al
An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi
BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30811