Skip to main content

BigBlueButton CVE-2026-27737

| EUVDEUVD-2026-30811 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-18 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
May 18, 2026 - 22:16 vuln.today
Analysis Generated
May 18, 2026 - 22:16 vuln.today

DescriptionGitHub Advisory

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

AnalysisAI

Stored XSS in BigBlueButton's bbb-playback recording component (versions prior to 3.0.19) allowed authenticated meeting participants to inject malicious scripts via public chat that execute silently against any user who later views the session recording in presentation format. The React component rendered chat messages via dangerouslySetInnerHTML without sanitization, meaning UI:N - no victim interaction beyond loading the recording URL was required to trigger execution. No public exploit identified at time of analysis; not listed in CISA KEV.

Technical ContextAI

The bbb-playback component is a React application that renders saved BigBlueButton session recordings. Three rendering paths were unsanitized: chat message text (src/components/chat/messages/user/text.js), reply-to message previews (src/components/chat/messages/reply/index.js), and shared notes (src/components/notes/index.js). All three used React's dangerouslySetInnerHTML prop, which explicitly bypasses React's built-in HTML escaping and passes content directly to the browser's innerHTML API. CWE-79 (Improper Neutralization of Input During Web Page Generation) - specifically stored XSS, as the payload persists in the recording data file and re-executes on each playback. The fix added DOMPurify 3.3.0 as a dependency and wrapped all dangerouslySetInnerHTML assignments with DOMPurify.sanitize(). Affected CPEs span three components: cpe:2.3:a:bigbluebutton:bigbluebutton:*, cpe:2.3:a:bigbluebutton:bbb-playback:*, and cpe:2.3:a:blindsidenetworks:scalite:*, indicating the vulnerability affects both standalone BigBlueButton deployments and enterprise Scalelite load-balanced clusters.

RemediationAI

Upgrade BigBlueButton to version 3.0.19 or later, available at https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19, which bundles bbb-playback v5.4.3 containing the DOMPurify 3.3.0 sanitization fix. Scalelite deployments must separately upgrade to v1.7.0 or later (https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0). Organizations maintaining a standalone bbb-playback deployment should update directly to v5.4.3, confirmed by the fix commit at https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1. If immediate patching is not possible, restrict recording playback access to authenticated and trusted users only by disabling public/unauthenticated recording share links - note this disrupts asynchronous access for external learners. As an additional compensating control, audit existing recordings for suspicious script tags or event-handler attributes in chat logs before exposing them post-patch. Patch versions 3.0.19 (BigBlueButton), 5.4.3 (bbb-playback), and 1.7.0 (Scalelite) are confirmed by vendor release artifacts.

CVE-2020-27605 CRITICAL POC
9.8 Oct 21

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject

CVE-2020-12443 CRITICAL POC
9.8 Apr 29

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca

CVE-2020-27613 HIGH POC
8.4 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al

CVE-2020-29043 HIGH POC
7.5 Nov 26

An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2020-27610 HIGH POC
7.5 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte

CVE-2020-27603 HIGH POC
7.5 Oct 21

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte

CVE-2020-12112 HIGH POC
7.5 Apr 23

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi

CVE-2026-27466 HIGH POC
7.2 Feb 21

BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu

CVE-2020-27607 MEDIUM POC
6.5 Oct 21

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce

CVE-2020-27604 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2020-25820 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade

CVE-2020-27608 MEDIUM POC
6.1 Oct 21

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w

Share

CVE-2026-27737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy