CVE-2026-27737

🗓️ 18 May 2026 21:11:17Reported by GitHub_MType

BigBlueButton revealed stored cross site scripting in public chat during playback; fixed in 3.0.19.

Reporter	Title	Published	Views	Family All 8
ATTACKERKB	CVE-2026-27737	18 May 202621:11	–	attackerkb
CNNVD	BigBlueButton 跨站脚本漏洞	18 May 202600:00	–	cnnvd
Cvelist	CVE-2026-27737 BigBlueButton has Stored XSS in bbb-playback replay	18 May 202621:11	–	cvelist
EUVD	EUVD-2026-30811	18 May 202621:11	–	euvd
NVD	CVE-2026-27737	18 May 202622:16	–	nvd
Positive Technologies	PT-2026-41738	18 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-27737	5 Jun 202619:33	–	redhatcve
Vulnrichment	CVE-2026-27737 BigBlueButton has Stored XSS in bbb-playback replay	18 May 202621:11	–	vulnrichment

Vulners

Node

bigbluebutton bigbluebuttonRange<3.0.19

blindsidenetworks scaliteRange<1.7.0

bigbluebutton bbb-playbackRange<5.4.3

[
  {
    "vendor": "bigbluebutton",
    "product": "bigbluebutton",
    "versions": [
      {
        "version": "< 3.0.19",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "blindsidenetworks",
    "product": "scalite",
    "versions": [
      {
        "version": "< 1.7.0",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "bigbluebutton",
    "product": "bbb-playback",
    "versions": [
      {
        "version": "< 5.4.3",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19
github	www.github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0
github	www.github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc
github	www.github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv
github	www.github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1

19 May 2026 15:04Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.16.5

EPSS0.00036

SSVC

CWE-79