CVE-2026-27737
Deferred Deferred - Pending Action
Stored XSS in BigBlueButton Recording Playback

Publication date: 2026-05-18

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-18
Last Modified
2026-05-18
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-27737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bigbluebutton bigbluebutton to 3.0.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in BigBlueButton prior to version 3.0.19 involves a stored cross-site scripting (XSS) attack through unsanitized user input in public chat during recording playback. This type of vulnerability can lead to unauthorized script execution in users' browsers, potentially compromising user data or session integrity.

While the CVE description does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that allow for XSS attacks can impact compliance by risking the confidentiality and integrity of user data. Such security weaknesses may lead to unauthorized access or exposure of personal data, which is a concern under regulations like GDPR and HIPAA.

Therefore, addressing this vulnerability by upgrading to version 3.0.19 or later is important to maintain compliance with data protection and privacy regulations that require appropriate security measures to protect user information.

Executive Summary

This vulnerability exists in BigBlueButton versions prior to 3.0.19, specifically in the recording playback feature when using the presentation format. The issue is that user input in the public chat was not properly sanitized, which allowed a malicious actor to craft a targeted Cross-Site Scripting (XSS) attack. This attack would be triggered when anyone replayed the recording containing the malicious input.

Impact Analysis

The vulnerability can impact users by allowing an attacker to execute malicious scripts in the context of the victim's browser when they replay a recording. This can lead to unauthorized actions such as stealing session information or manipulating the playback interface. The CVSS score indicates a moderate severity with a high impact on integrity but no impact on confidentiality or availability.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade BigBlueButton to version 3.0.19 or later, where the issue has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart