CVE-2026-27736

medium

Description

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.

References

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx

https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812

Details

Source: Mitre, NVD

Published: 2026-02-25

Updated: 2026-02-25

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N