CVE-2026-27736 | THREATINT

Description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

PUBLISHED Reserved 2026-02-23 | Published 2026-02-25 | Updated 2026-02-26 | Assigner GitHub_M

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Product status

>= 3.0.0, < 3.0.20

affected

References

github.com/...button/security/advisories/GHSA-65cv-rg9f-qqrx

github.com/...ommit/691f92f3af0d6b796b91cb968977068663119812

cve.org (CVE-2026-27736)

nvd.nist.gov (CVE-2026-27736)

Download JSON