CVE-2026-27737

MEDIUM 6.5

BigBlueButton has Stored XSS in bbb-playback replay

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

CWE	CWE-79
Vendor	bigbluebutton
Product	bigbluebutton
Published	May 18, 2026
Last Updated	May 19, 2026

Stay Ahead of the Next One

Get instant alerts for bigbluebutton bigbluebutton

Be the first to know when new medium vulnerabilities affecting bigbluebutton bigbluebutton are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

bigbluebutton / bigbluebutton

< 3.0.19

blindsidenetworks / scalite

< 1.7.0

bigbluebutton / bbb-playback

< 5.4.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv github.com: https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1 github.com: https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc github.com: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19 github.com: https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0