CVE-2026-27736

EUVD-2026-8686
BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No known workarounds are available.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
bigbluebuttonbigbluebutton
𝑥
< 3.0.20
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bigbluebutton/bigbluebutton/commit/691f92f3af0d6b796b91cb968977068663119812
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-65cv-rg9f-qqrx