Bigbluebutton
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-7296 | Med | 0.42 | 6.4 | 0.00 | Oct 16, 2024 | The BigBlueButton plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the moderator code and viewer code fields in versions up to, and including, 3.0.0-beta.4 due to insufficient input sanitization and output escaping. This makes it possible for… | ||
| CVE-2026-27737 | Med | 0.35 | 6.5 | 0.00 | May 18, 2026 | BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone… | ||
| CVE-2026-41127 | Med | 0.35 | 6.5 | 0.00 | Apr 22, 2026 | BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available. | ||
| CVE-2024-38518 | Med | 0.23 | 4.6 | 0.00 | Jun 28, 2024 | BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be… | ||
| CVE-2026-41126 | Med | 0.21 | 4.3 | 0.00 | Apr 22, 2026 | BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No… | ||
| CVE-2024-39302 | Low | 0.17 | 3.7 | 0.00 | Jun 28, 2024 | BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal… | ||
| CVE-2020-25820 | 0.04 | — | 0.09 | Oct 21, 2020 | BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | |||
| CVE-2020-27603 | 0.02 | — | 0.03 | Oct 21, 2020 | BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files. | |||
| CVE-2020-12112 | 0.01 | — | 0.05 | Apr 23, 2020 | BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. | |||
| CVE-2026-27736 | 0.00 | — | 0.00 | Feb 25, 2026 | BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20… | |||
| CVE-2026-27467 | 0.00 | — | 0.00 | Feb 21, 2026 | BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants,… | |||
| CVE-2026-27466 | 0.00 | — | 0.00 | Feb 21, 2026 | BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed… | |||
| CVE-2025-61602 | 0.00 | — | 0.00 | Oct 9, 2025 | BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation… | |||
| CVE-2025-61601 | 0.00 | — | 0.00 | Oct 9, 2025 | BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload… | |||
| CVE-2025-55200 | 0.00 | — | 0.00 | Oct 9, 2025 | BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a… | |||
| CVE-2023-43798 | 0.00 | — | 0.00 | Oct 30, 2023 | BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at… | |||
| CVE-2023-43797 | 0.00 | — | 0.00 | Oct 30, 2023 | BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was… | |||
| CVE-2023-42804 | 0.00 | — | 0.00 | Oct 30, 2023 | BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain… | |||
| CVE-2023-42803 | 0.00 | — | 0.01 | Oct 30, 2023 | BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of… | |||
| CVE-2023-33176 | 0.00 | — | 0.00 | Jun 26, 2023 | BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the… |
- risk 0.42cvss 6.4epss 0.00
The BigBlueButton plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the moderator code and viewer code fields in versions up to, and including, 3.0.0-beta.4 due to insufficient input sanitization and output escaping. This makes it possible for…
- risk 0.35cvss 6.5epss 0.00
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone…
- risk 0.35cvss 6.5epss 0.00
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.
- risk 0.23cvss 4.6epss 0.00
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be…
- risk 0.21cvss 4.3epss 0.00
BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No…
- risk 0.17cvss 3.7epss 0.00
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal…
- CVE-2020-25820Oct 21, 2020risk 0.04cvss —epss 0.09
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
- CVE-2020-27603Oct 21, 2020risk 0.02cvss —epss 0.03
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
- CVE-2020-12112Apr 23, 2020risk 0.01cvss —epss 0.05
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
- CVE-2026-27736Feb 25, 2026risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20…
- CVE-2026-27467Feb 21, 2026risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants,…
- CVE-2026-27466Feb 21, 2026risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed…
- CVE-2025-61602Oct 9, 2025risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation…
- CVE-2025-61601Oct 9, 2025risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload…
- CVE-2025-55200Oct 9, 2025risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a…
- CVE-2023-43798Oct 30, 2023risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at…
- CVE-2023-43797Oct 30, 2023risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was…
- CVE-2023-42804Oct 30, 2023risk 0.00cvss —epss 0.00
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain…
- CVE-2023-42803Oct 30, 2023risk 0.00cvss —epss 0.01
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of…
- CVE-2023-33176Jun 26, 2023risk 0.00cvss —epss 0.00
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the…
Page 1 of 3