CVE-2026-27737 BigBlueButton CVE debrief

Who should care

Organizations operating BigBlueButton virtual classroom instances, particularly those with public or semi-public access where recordings are shared. Educational institutions, corporate training departments, and webinar providers using BigBlueButton for recorded content distribution. Security teams responsible for web application security in e-learning platforms.

Technical summary

The vulnerability exists in the presentation format recording playback component of BigBlueButton. User-supplied input in public chat messages was rendered without adequate sanitization, enabling stored XSS. When any user subsequently replays the recording, the malicious script executes in their browser context. The attack vector is network-based, requires low privileges (authenticated user), and has no user interaction requirement during exploitation. The fix involves proper input sanitization in the playback rendering pipeline.

Defensive priority

medium

Recommended defensive actions

• Upgrade BigBlueButton to version 3.0.19 or later to remediate the stored XSS vulnerability in recording playback
• If using ScaleLite for BigBlueButton load balancing, upgrade to version 1.7.0 or later
• Review existing recorded sessions for suspicious chat content that may contain injected scripts
• Implement Content Security Policy (CSP) headers as defense-in-depth for playback interfaces
• Audit access logs for unusual activity related to recording playback access patterns

Evidence notes

CVE published 2026-05-18; modified 2026-05-19. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation). Fix commits identified in bbb-playback and bigbluebutton repositories.

Official resources