bigbluebutton — Vulnerabilities & Security Advisories 32

All 32 CVE vulnerabilities found in bigbluebutton, with AI-generated Chinese analysis, references, and POCs.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-41127	BigBlueButton's missing authorization allows viewer to inject/overwrite captions CWE-639	6.5	Medium	2026-04-21
CVE-2026-41126	BigBlueButton has Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL" CWE-601	4.3	Medium	2026-04-21
CVE-2026-27736	BigBlueButton has Open Redirect vulnerability in ApiController CWE-601	6.1	Medium	2026-02-25
CVE-2026-27467	BigBlueButton: Audio from participants to the server initially unmuted CWE-200	2.0	Low	2026-02-21
CVE-2026-27466	BigBlueButton: Exposed ClamAV port enables Denial of Service CWE-668	7.2	High	2026-02-21
CVE-2025-61602	BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId CWE-703	7.5	High	2025-10-09
CVE-2025-61601	BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation CWE-703	7.5	High	2025-10-09
CVE-2025-55200	BigBlueButton vulnerable to Stored XSS via name of user at Shared Notes CWE-79	7.1	High	2025-10-09
CVE-2023-7296	BigBlueButton <= 3.0.0-beta.4 - Authenticated (Author+) Stored Cross-Site Scripting CWE-79	6.4	Medium	2024-10-16
CVE-2024-39302	Some bbb-record-core files installed with wrong file permission CWE-269	3.7	Low	2024-06-28
CVE-2024-38518	bbb-web API additional parameters considered CWE-284	4.6	Medium	2024-06-28
CVE-2023-43798	BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass) CWE-918	5.6	Medium	2023-10-30
CVE-2023-43797	BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby CWE-79	6.3	Medium	2023-10-30
CVE-2023-42804	BigBlueButton Path Traversal – Reading Certain File Extensions CWE-22	3.1	Low	2023-10-30
CVE-2023-42803	BigBlueButton Unrestricted File Upload vulnerability CWE-434	5.3	Medium	2023-10-30
CVE-2023-39991	WordPress BigBlueButton Plugin <= 3.0.0-beta.4 is vulnerable to Cross Site Scripting (XSS) CWE-79	7.1	High	2023-09-04
CVE-2023-33176	Blind SSRF When Uploading Presentation in BigBlueButton CWE-918	4.8	Medium	2023-06-26
CVE-2022-23488	BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data CWE-201	6.5	Medium	2022-12-17
CVE-2022-23490	Improper access control to polling votes CWE-200	4.3	Medium	2022-12-16
CVE-2022-41964	BigBlueButton contains Response leaks in anonymous polls CWE-200	5.7	Medium	2022-12-16
CVE-2022-41963	BigBlueButton contains Improper Preservation of Permissions for whiteboard CWE-281	2.7	Low	2022-12-16
CVE-2022-41962	BigBlueButton contains Incorrect Authorization for setting emoji status CWE-863	2.7	Low	2022-12-16
CVE-2022-41961	BigBlueButton subject to Ineffective user bans CWE-346	4.3	Medium	2022-12-16
CVE-2022-41960	BigBlueButton contains DoS via failed authToken validation CWE-345	4.3	Medium	2022-12-15
CVE-2022-31064	Cross site scripting in username that will trigger by sending chat CWE-79	6.5	Medium	2022-06-27
CVE-2022-31065	Cross site scripting vulnerability for private chat in bigbluebutton CWE-79	6.5	Medium	2022-06-27
CVE-2022-29235	Limited data exposure for shared external videos in BigBlueButton CWE-200	5.3	Medium	2022-06-01
CVE-2022-29236	Improper access control for pencil annotations in BigBlueButton CWE-285	4.3	Medium	2022-06-01
CVE-2022-29234	Grace period for lock settings in public/private chats in BigBlueButton CWE-285	4.3	Medium	2022-06-01
CVE-2022-29233	Improper access control for breakout rooms in BigBlue Button CWE-285	4.3	Medium	2022-06-01

All 32 known CVE vulnerabilities affecting bigbluebutton with full Chinese analysis, references, and POCs where available.

Goal Reached Thanks to every supporter — we hit 100%!

bigbluebutton — Vulnerabilities & Security Advisories 32