{"id":"CVE-2026-27737","summary":"BigBlueButton has Stored XSS in bbb-playback replay","details":"BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.","aliases":["GHSA-8vv7-vj94-q2pv"],"modified":"2026-07-08T08:10:09.655598177Z","published":"2026-05-18T21:11:17.611Z","database_specific":{"cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27737.json","cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19"},{"type":"WEB","url":"https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27737.json"},{"type":"ADVISORY","url":"https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27737"},{"type":"FIX","url":"https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1"},{"type":"FIX","url":"https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bigbluebutton/bbb-playback","events":[{"introduced":"0"},{"fixed":"09e89bfe4ff8488b68c3ff040d3081e419dc89b1"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"5.4.3"}]}},{"type":"GIT","repo":"https://github.com/bigbluebutton/bigbluebutton","events":[{"introduced":"0"},{"fixed":"69f45aa1b963dc7d80179d0155acc670aec5c4fc"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.0.19"}],"source":["AFFECTED_FIELD","REFERENCES"]}},{"type":"GIT","repo":"https://github.com/blindsidenetworks/scalelite","events":[{"introduced":"0"},{"fixed":"832fda8eff87d8c2a17c3943e347afc8504c3897"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.7.0"}]}}],"versions":["v5.4.2","v5.4.1","v5.4.0","v5.3.5","v5.3.4","v5.3.3","v5.3.2","v5.3.1","v5.3.0","v5.2.1","v5.2.0","v5.1.3","v5.1.2","v5.1.1","v5.1.0","v5.0.2","v5.0.1","v5.0.0-rc.3","v5.0.0-rc.2","v5.0.0-rc.1","v5.0.0-beta.2","v5.0.0-beta.1","v5.0.0-alpha.3","v5.0.0-alpha.2","v5.0.0-alpha.1","v2.3.2","v2.3.1","v2.3.0","v3.0.18","v3.0.17","v3.0.16","v3.0.15","v3.0.14","v3.0.13","v3.0.12","v3.0.11","v3.0.8","v3.0.10","v3.0.9","v3.0.7","v3.0.5","v3.0.4","v3.0.2","v3.0.3","v3.0.0","v3.0.1","v3.0.0-rc.4","v3.0.0-rc.3","v3.0.0-rc.2","v3.0.0-rc.1","3.0.0-rc.1","v3.0.0-beta.7","v3.0.0-beta.6","v3.0.0-beta.5","v3.0.0-beta.4","v3.0.0-beta.3","v3.0.0-beta.2","v3.0.0-beta.1","v3.0.0-alpha.7","v3.0.0-alpha.6","v3.0.0-alpha.4","v3.0.0-alpha.3","v3.0.0-alpha.2","v3.0.0-alpha.1","v2.4-beta-4","v2.4-beta-3","v2.4-beta-2","v2.4-beta-1","v2.4-alpha-1","v2.3-rc-2","v2.3-rc-1","v2.3-beta-5","v2.3-beta-4","v2.3-beta-3","v2.3-beta-2","v2.3-beta-1","v2.3-alpha-8","v2.3-alpha-7","v2.3-alpha-6","v2.3-alpha-5","v2.3-alpha-4","v2.3-alpha-3","v2.3-alpha-2","v2.3-alpha-1","2.2-rc-3","2.2-rc-2","2.2-rc-1","2.2-beta-23","2.2-beta-22","2.2-beta-21","2.2-beta-20","2.2-beta-19","2.2-beta-18","2.2-beta-17","2.2-beta-16","2.2-beta-15","2.2-beta-14","2.2-beta-12","2.2-beta-11","2.2-beta-10","2.2-beta-9","2.2-beta-8","2.2-beta-7","2.2-beta-6","2.2-beta-5","2.2-beta-4","2.2-beta-3","2.2-beta-2","dcs-2-a","v0.9.0-beta","v0.8","v0.8rc2","v0.8b4.0","v0.8b4","v1.6.12.1","v1.6.12","v1.6.11","v1.6.11-alpha","v1.6.10","v1.6.9","v1.6.8","v1.6.7","v1.6.6","v1.6.6-alpha","v1.6.5-alpha","v1.6.5","v1.6.4-alpha","v1.6.4","v1.6.3","v1.6.2","v1.6.1","v1.6.0-alpha.1","v1.6.0","v1.5.1.7-beta.1","v1.5.1.7","v1.5.2-beta.1","v1.5.2-alpha.1","v1.5.1.6","v1.5.1.5","v1.5.1.4","v1.5.1.3","v1.5.1.2","v1.5.1.1","v1.5.1","v1.5.1-beta.1","v1.5.0","v1.5.0-beta.1","v1.4.2","v1.4.2-beta.2","v1.4.2-beta.1","v1.4.1-beta.2","v1.4.1","v1.4","v.1.4.0","v1.4-beta.1","v1.3.5.2-beta.1","v1.3.5.2","v1.3.5.1-beta.1","v1.3.5.1","v1.3.5","v1.3.5-beta.2","v1.3.5-beta.1","v1.3.4","1.3.4-beta.1.2","v1.3.4-beta.1.1","v1.3.4-beta.1","v1.3.3.1","v1.3.3","v1.3.3-beta.2","v1.3.3-beta.1","v1.3.2.1-beta.1","v1.3.2.1","v1.3.1-beta.3","v1.3.1","v1.3.1-beta.2","v1.3.1-beta.1","v1.3-beta.3","v1.3","v1.3-beta.2","v1.3-beta.1","v1.2","v1.2-beta.3","v1.2-beta.2","v1.2-beta.1","v1.1.7.1-beta.2","v1.1.7.1","v1.1.7.1-beta.1","v1.1.7-beta.1","v1.1.7","v1.1.6-beta.1","v1.1.6","v1.1.5.1","v1.1.5-beta.1","v1.1.5","v1.1.4","v1.1.3","v1.1.2","v1.1.1.0","v1.1.1","v1.1","v1.1-rc.1","v1.1-beta.4","v1.1-beta.3","v1.1-beta.2","v1.1-beta.1","v1.0.12","v1.0.11","v1.0.10","v1.0.9","v1.0.8","v1.0.7","v1.0.6","v1.0.5","v1.0.4","v1.0.3","v1.0.2","v1.0.1","v1.0","v0.1-alpha.4","v0.1-alpha.3","v0.1-alpha.2","v0.1-alpha.1.1","v0.1-alpha.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27737.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}