Skip to main content

BigBlueButton CVE-2026-27737

| EUVD-2026-30811 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 GitHub_M
XSS
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
May 18, 2026 - 22:16 vuln.today
Analysis Generated
May 18, 2026 - 22:16 vuln.today

DescriptionNVD

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

AnalysisAI

Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-27737 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy