{"api_version":"1","generated_at":"2026-05-19T04:25:34+00:00","cve":"CVE-2026-27737","urls":{"html":"https://cve.report/CVE-2026-27737","api":"https://cve.report/api/cve/CVE-2026-27737.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-27737","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-27737"},"summary":{"title":"BigBlueButton has Stored XSS in bbb-playback replay","description":"BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-18 22:16:37","updated_at":"2026-05-18 22:16:37"},"problem_types":["CWE-79","CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0","name":"https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc","name":"https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1","name":"https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv","name":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19","name":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-27737","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27737","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"bigbluebutton","product":"bigbluebutton","version":"affected < 3.0.19","platforms":[]},{"source":"CNA","vendor":"blindsidenetworks","product":"scalite","version":"affected < 1.7.0","platforms":[]},{"source":"CNA","vendor":"bigbluebutton","product":"bbb-playback","version":"affected < 5.4.3","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"bigbluebutton","vendor":"bigbluebutton","versions":[{"status":"affected","version":"< 3.0.19"}]},{"product":"scalite","vendor":"blindsidenetworks","versions":[{"status":"affected","version":"< 1.7.0"}]},{"product":"bbb-playback","vendor":"bigbluebutton","versions":[{"status":"affected","version":"< 5.4.3"}]}],"descriptions":[{"lang":"en","value":"BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-18T21:11:17.611Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv","tags":["x_refsource_CONFIRM"],"url":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv"},{"name":"https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1","tags":["x_refsource_MISC"],"url":"https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1"},{"name":"https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc","tags":["x_refsource_MISC"],"url":"https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc"},{"name":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19","tags":["x_refsource_MISC"],"url":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19"},{"name":"https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0","tags":["x_refsource_MISC"],"url":"https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0"}],"source":{"advisory":"GHSA-8vv7-vj94-q2pv","discovery":"UNKNOWN"},"title":"BigBlueButton has Stored XSS in bbb-playback replay"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-27737","datePublished":"2026-05-18T21:11:17.611Z","dateReserved":"2026-02-23T18:37:14.790Z","dateUpdated":"2026-05-18T21:11:17.611Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-18 22:16:37","lastModifiedDate":"2026-05-18 22:16:37","problem_types":["CWE-79","CWE-79 CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"27737","Ordinal":"1","Title":"BigBlueButton has Stored XSS in bbb-playback replay","CVE":"CVE-2026-27737","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"27737","Ordinal":"1","NoteData":"BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.","Type":"Description","Title":"BigBlueButton has Stored XSS in bbb-playback replay"}]}}}