CVE-2026-27737

Description

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

PUBLISHED Reserved 2026-02-23 | Published 2026-05-18 | Updated 2026-05-19 | Assigner GitHub_M

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

References

github.com/...button/security/advisories/GHSA-8vv7-vj94-q2pv

github.com/...ommit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1

github.com/...ommit/69f45aa1b963dc7d80179d0155acc670aec5c4fc

github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19

github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0

cve.org (CVE-2026-27737)

nvd.nist.gov (CVE-2026-27737)

Download JSON