CVE-2026-27737 MEDIUM

CVE-2026-27737: BigBlueButton has Stored XSS in bbb-playback replay

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-79 · XSS
Published May 18, 2026
Last update May 19, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

Key dates

02Disclosure timeline

May 18, 2026 CVE published
May 19, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2019-1949 Cisco Firepower Management Center Persistent Cross-Site Scripting Vulnerability CVE-2025-59839 Star Citizen EmbedVideo Extension Stored XSS through wikitext caused by usage of non-reserved data attributes CVE-2023-1156 SourceCodester Health Center Patient Record Management System fecalysis_form.php cross site scripting CVE-2024-24700 WordPress WP Editor plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-0577 Multiple XSS in ASOS Information Technologies' Sobiad