PatchSiren

BigBlueButton CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM BigBlueButton CVE published 2026-05-18

CVE-2026-27737

A stored cross-site scripting (XSS) vulnerability exists in BigBlueButton's recording playback feature (presentation format) prior to version 3.0.19. The public chat messages displayed during recording playback were not properly sanitized, allowing a malicious actor to inject and execute arbitrary JavaScript when any user replays an affected recording. The vulnerability requires low privileges to exploit [truncated]