CVE-2026-46404
6.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Summary
BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| bigbluebutton | bigbluebutton | < 3.0.23 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
References
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-xqm3-6q7q-4v5h
- https://github.com/bigbluebutton/bigbluebutton/commit/7ccc60c965d744d9fb637715052352a1e59a2c27
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.