CVE-2026-27466

Name of the Vulnerable Software and Affected Versions BigBlueButton versions 3.0.21 and below

Description BigBlueButton is an open-source virtual classroom. Following instructions in the official documentation for "Server Customization" regarding ClamAV as a presentation file scanner can leave a BigBlueButton server vulnerable to a Denial of Service. The documentation’s instructions expose ports (3310 and 7357) to the internet. A remote attacker can exploit this by sending complex or large documents to clamd, potentially wasting server resources or shutting down the clamd process. The clamd documentation warns against exposing this port. Mounting /var/bigbluebutton with write permissions into the container, as suggested in the documentation, could also pose a future risk if vulnerabilities in clamd allow file manipulation within that folder. Users are only affected if they have followed the specific instructions in the BigBlueButton documentation.

Recommendations Versions prior to 3.0.22 should not follow the documentation instructions for "Server Customization" on Support for ClamAV as presentation file scanner. Do not expose ports 3310 and 7357 to the internet. Avoid mounting /var/bigbluebutton with write permissions into the container.