CVE-2026-46404
MEDIUM
6.8
CVSS 3.1
Description
BigBlueButton is an open-source virtual classroom. Prior to 3.0.23, the presentation URL validation did not properly restrict access to site local and link local addresses. The redirect following logic now pins resolved IPs. This issue is fixed in version 3.0.23.
Metadata
Severity & Metrics
6.8
MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| bigbluebutton | bigbluebutton | — | < 3.0.23 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| CWE-918 | cna | CWE-918: Server-Side Request Forgery (SSRF) |
CVSS scores (1)
| Score | Severity | Version | Source | Vector |
|---|---|---|---|---|
| 6.8 | MEDIUM | 3.1 | cna | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
References (2)
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-xqm3-6q7q-4v5h https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-xqm3-6q7q-4v5h
- https://github.com/bigbluebutton/bigbluebutton/commit/7ccc60c965d744d9fb637715052352a1e59a2c27 https://github.com/bigbluebutton/bigbluebutton/commit/7ccc60c965d744d9fb637715052352a1e59a2c27