bigbluebutton — Vulnerabilities & Security Advisories 34

Browse all 34 CVE security advisories affecting bigbluebutton. AI-powered Chinese analysis, POCs, and references for each vulnerability.

BigBlueButton is an open-source virtual classroom platform designed for real-time online education, enabling video conferencing, screen sharing, and collaborative whiteboarding. Its architecture, primarily built on Node.js and React, has historically exposed it to a significant number of security flaws, currently totaling 34 recorded Common Vulnerabilities and Exposures. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF), often stemming from inadequate input validation in its web interface and underlying services. Notable incidents involve critical RCE flaws that allowed attackers to execute arbitrary commands on the host system, compromising entire learning environments. While recent updates have addressed many of these issues, the complexity of its integration with external services like Redis and Nginx continues to present attack surfaces. Administrators must prioritize regular patching and strict access controls to mitigate these persistent risks in educational deployments.

Top products by bigbluebutton: bigbluebutton greenlight bigbluebutton/bigbluebutton

CVE ID	Title	CVSS	Severity	Published
CVE-2026-41127	BigBlueButton's missing authorization allows viewer to inject/overwrite captions — bigbluebuttonCWE-639	6.5	Medium	2026-04-21
CVE-2026-41126	BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL" — bigbluebuttonCWE-601	4.3	Medium	2026-04-21
CVE-2026-27736	BigBlueButton has Open Redirect vulnerability in ApiController — bigbluebuttonCWE-601	6.1	Medium	2026-02-25
CVE-2026-27467	BigBlueButton: Audio from participants to the server initially unmuted — bigbluebuttonCWE-200	2.0	Low	2026-02-21
CVE-2026-27466	BigBlueButton: Exposed ClamAV port enables Denial of Service — bigbluebuttonCWE-668	7.2	High	2026-02-21
CVE-2025-61602	BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId — bigbluebuttonCWE-703	7.5	High	2025-10-09
CVE-2025-61601	BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation — bigbluebuttonCWE-703	7.5	High	2025-10-09
CVE-2025-55200	BigBlueButton vulnerable to Stored XSS via name of user at Shared Notes — bigbluebuttonCWE-79	7.1	High	2025-10-09
CVE-2024-39302	Some bbb-record-core files installed with wrong file permission — bigbluebuttonCWE-269	3.7	Low	2024-06-28
CVE-2024-38518	bbb-web API additional parameters considered — bigbluebuttonCWE-284	4.6	Medium	2024-06-28
CVE-2022-36029	BigBlueButton Greenlight Open Redirect vulnerability — greenlightCWE-601	9.1	Critical	2024-04-25
CVE-2022-36028	BigBlueButton Greenlight Open Redirect vulnerability — greenlightCWE-601	9.1	Critical	2024-04-25
CVE-2023-43798	BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass) — bigbluebuttonCWE-918	5.6	Medium	2023-10-30
CVE-2023-43797	BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby — bigbluebuttonCWE-79	6.3	Medium	2023-10-30
CVE-2023-42804	BigBlueButton Path Traversal – Reading Certain File Extensions — bigbluebuttonCWE-22	3.1	Low	2023-10-30
CVE-2023-42803	BigBlueButton Unrestricted File Upload vulnerability — bigbluebuttonCWE-434	5.3	Medium	2023-10-30
CVE-2023-33176	Blind SSRF When Uploading Presentation in BigBlueButton — bigbluebuttonCWE-918	4.8	Medium	2023-06-26
CVE-2022-23488	BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data — bigbluebuttonCWE-201	6.5	Medium	2022-12-17
CVE-2022-23490	Improper access control to polling votes — bigbluebuttonCWE-200	4.3	Medium	2022-12-16
CVE-2022-41964	BigBlueButton contains Response leaks in anonymous polls — bigbluebuttonCWE-200	5.7	Medium	2022-12-16
CVE-2022-41963	BigBlueButton contains Improper Preservation of Permissions for whiteboard — bigbluebuttonCWE-281	2.7	Low	2022-12-16
CVE-2022-41962	BigBlueButton contains Incorrect Authorization for setting emoji status — bigbluebuttonCWE-863	2.7	Low	2022-12-16
CVE-2022-41961	BigBlueButton subject to Ineffective user bans — bigbluebuttonCWE-346	4.3	Medium	2022-12-16
CVE-2022-41960	BigBlueButton contains DoS via failed authToken validation — bigbluebuttonCWE-345	4.3	Medium	2022-12-15
CVE-2022-31064	Cross site scripting in username that will trigger by sending chat — bigbluebuttonCWE-79	6.5	Medium	2022-06-27
CVE-2022-31065	Cross site scripting vulnerability for private chat in bigbluebutton — bigbluebuttonCWE-79	6.5	Medium	2022-06-27
CVE-2022-31039	Improper privilege management - Anyone can view room settings in GreenLight — greenlightCWE-269	4.3	Medium	2022-06-27
CVE-2022-29235	Limited data exposure for shared external videos in BigBlueButton — bigbluebuttonCWE-200	5.3	Medium	2022-06-01
CVE-2022-29236	Improper access control for pencil annotations in BigBlueButton — bigbluebuttonCWE-285	4.3	Medium	2022-06-01
CVE-2022-29234	Grace period for lock settings in public/private chats in BigBlueButton — bigbluebuttonCWE-285	4.3	Medium	2022-06-01

This page lists every published CVE security advisory associated with bigbluebutton. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

bigbluebutton — Vulnerabilities & Security Advisories 34