CVE-2026-27736

Published: Feb 25, 2026Modified: Mar 5, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: security-advisories@github.com (Secondary)

Description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

Affected (1)

Products: Bigbluebutton: Bigbluebutton

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bigbluebutton Bigbluebutton	Before 3.0.20

Related CWEs

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (2)

https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812

Source: security-advisories@github.com

Patch

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx

Source: security-advisories@github.com

PatchVendor Advisory

Timeline

No history available yet.