Description
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.
Published: 2026-05-18
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In versions of BigBlueButton before 3.0.19, chat messages posted by users in a recording are stored without sanitization. When a recipient plays back the recording, the unsanitized content is rendered in the browser, allowing a malicious actor to inject and execute arbitrary JavaScript. An attacker can capture session cookies, deface the page, or perform other client‑side attacks, although the vulnerability does not grant direct access to server‑side resources.

Affected Systems

The vulnerability affects BigBlueButton’s playback component (bbb‑playback) and the main BigBlueButton application for any release prior to 3.0.19. Blindside Networks’ Scalelite component is also listed as affected, though no specific version range is specified; it should be updated to the latest release to avoid compatibility issues.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. With no EPSS score available and the issue not listed in KEV, exploitation likelihood is uncertain but feasible. An attacker needs only to place a malicious chat message into a recording; any user listening to the playback will be exposed to the injected script. There are no known server‑side prerequisites beyond the ability to submit a chat message for a recording.

Generated by OpenCVE AI on May 18, 2026 at 22:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BigBlueButton to version 3.0.19 or later, which removes the XSS flaw in the playback component.
  • Update Scalelite to the latest released version (e.g., v1.7.0) to maintain compatibility with the patched BigBlueButton.
  • Apply an interim mitigation by configuring the playback interface to strip or encode user‑generated chat content before rendering, or disable chat during playback until the official patch is in place.

Generated by OpenCVE AI on May 18, 2026 at 22:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.
Title BigBlueButton has Stored XSS in bbb-playback replay
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T21:11:17.611Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27737

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T22:16:37.523

Modified: 2026-05-18T22:16:37.523

Link: CVE-2026-27737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T23:00:13Z

Weaknesses