CVE-2026-46404

Summary

BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.

Affected Software

VendorProductVersion RangeStatus
bigbluebuttonbigbluebutton< 3.0.23affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

References