CVE-2026-27737 Overview
CVE-2026-27737 is a stored cross-site scripting (XSS) vulnerability in BigBlueButton, an open-source virtual classroom platform. The flaw exists in the recording playback component, specifically in the presentation format renderer. BigBlueButton versions prior to 3.0.19 fail to sanitize user input submitted through the public chat feature. An authenticated attacker can inject crafted payloads into chat messages during a session. When any user replays the recorded session, the malicious script executes in their browser context. The issue is classified under CWE-79 and was remediated in version 3.0.19.
Critical Impact
Authenticated session participants can inject persistent JavaScript that executes against every viewer replaying the recording, enabling targeted session hijacking and content tampering.
Affected Products
- BigBlueButton versions prior to 3.0.19
- bbb-playback recording playback component (presentation format)
- Deployments using Scalelite versions prior to v1.7.0 for recording distribution
Discovery Timeline
- 2026-05-18 - CVE-2026-27737 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27737
Vulnerability Analysis
The vulnerability resides in the bbb-playback component that renders archived BigBlueButton sessions. During a live meeting, participants exchange messages through the public chat panel. These messages are persisted as part of the recording artifacts and later replayed alongside the presentation timeline. The playback renderer inserts chat content into the DOM without performing HTML encoding or sanitization. An attacker who joins a session with standard participant privileges can submit a chat message containing HTML or JavaScript. The payload remains dormant in the recording archive until a viewer opens the playback URL.
Root Cause
The root cause is missing output encoding in the recording playback rendering logic. Chat content captured during the live session was treated as trusted markup rather than untrusted user data. The upstream fixes in commits 09e89bf and 69f45aa introduce proper sanitization before chat strings reach the DOM.
Attack Vector
Exploitation requires the attacker to hold a valid session token with chat-write privileges, which corresponds to any standard meeting participant. The attacker submits a crafted chat message containing a script payload during a recorded session. Once the session ends and the recording is processed, the payload becomes embedded in the playback artifacts. Any subsequent viewer, including moderators, instructors, or anonymous link recipients, triggers execution by simply loading the recording URL. The script runs in the origin of the BigBlueButton playback server, granting access to session cookies, presenter actions, and any same-origin resources.
Detection Methods for CVE-2026-27737
Indicators of Compromise
- Stored chat messages within recording archives containing <script>, <img onerror=, javascript: URIs, or event handler attributes such as onload and onmouseover.
- Unexpected outbound HTTP requests from playback viewers' browsers to attacker-controlled domains shortly after opening a recording.
- Anomalous DOM modifications or new iframes appearing during recording playback sessions.
Detection Strategies
- Scan recording storage directories for chat transcript files containing HTML tags or JavaScript event handler patterns before serving playback.
- Review web server access logs for /playback/presentation/ requests followed by requests to external resources from the same client.
- Implement Content Security Policy (CSP) reporting on the playback endpoint to surface inline script execution attempts.
Monitoring Recommendations
- Monitor BigBlueButton server version inventory against the fixed release 3.0.19.
- Alert on chat message payloads exceeding expected text length or containing angle-bracketed markup at the time of recording.
- Audit moderator and participant accounts that submitted chat messages immediately prior to recording finalization.
How to Mitigate CVE-2026-27737
Immediate Actions Required
- Upgrade BigBlueButton to version 3.0.19 or later on all production and staging servers.
- Update Scalelite deployments to v1.7.0 to ensure consistent playback sanitization across load-balanced recording delivery.
- Audit existing recordings for previously injected payloads and re-process or remove affected archives.
Patch Information
The fix is available in BigBlueButton release v3.0.19 and tracked under GitHub Security Advisory GHSA-8vv7-vj94-q2pv. The relevant code changes are in the bbb-playback sanitization commit and the bigbluebutton repository commit. Scalelite users should reference the Scalelite v1.7.0 release.
Workarounds
- Restrict access to recording playback URLs to authenticated users only until patching completes.
- Disable public chat for sessions that will be recorded if upgrading is not immediately feasible.
- Apply a strict Content Security Policy on the playback server to block inline script execution and unauthorized external resource loads.
# Example strict CSP header for the playback nginx server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
