CVE-2026-27737
Stored XSS in BigBlueButton Recording Playback
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bigbluebutton | bigbluebutton | to 3.0.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in BigBlueButton versions prior to 3.0.19, specifically in the recording playback feature when using the presentation format. The issue is that user input in the public chat was not properly sanitized, which allowed a malicious actor to craft a targeted Cross-Site Scripting (XSS) attack. This attack would be triggered when anyone replayed the recording containing the malicious input.
How can this vulnerability impact me? :
The vulnerability can impact users by allowing an attacker to execute malicious scripts in the context of the victim's browser when they replay a recording. This can lead to unauthorized actions such as stealing session information or manipulating the playback interface. The CVSS score indicates a moderate severity with a high impact on integrity but no impact on confidentiality or availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade BigBlueButton to version 3.0.19 or later, where the issue has been fixed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in BigBlueButton prior to version 3.0.19 involves a stored cross-site scripting (XSS) attack through unsanitized user input in public chat during recording playback. This type of vulnerability can lead to unauthorized script execution in users' browsers, potentially compromising user data or session integrity.
While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that allow for XSS attacks can impact compliance by risking the confidentiality and integrity of user data. Such security weaknesses may lead to unauthorized access or exposure of personal data, which is a concern under regulations like GDPR and HIPAA.
Therefore, addressing this vulnerability by upgrading to version 3.0.19 or later is important to maintain compliance with data protection and privacy regulations that require appropriate security measures to protect user information.