CVE-2026-27737

Summary

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

Affected Software

VendorProductVersion RangeStatus
bigbluebuttonbigbluebutton< 3.0.19affected
blindsidenetworksscalite< 1.7.0affected
bigbluebuttonbbb-playback< 5.4.3affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References