CVE-2026-27466

Exploit

EPSS 0.4%
Veröffentlicht 21.02.2026 07:14:49
Zuletzt bearbeitet 26.02.2026 18:59:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BigBlueButton: Exposed ClamAV port enables Denial of Service

Exposed ClamAV port allowing denial of service

BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed command exposes both ports (3310 and 7357) to the internet. A remote attacker can use this to send complex or large documents to clamd and waste server resources, or shutdown the clamd process. The clamd documentation explicitly warns about exposing this port. Enabling ufw (ubuntu firewall) during install does not help, because Docker routes container traffic through the nat table, which is not managed or restricted by ufw. Rules installed by ufw in the filter table have no effect on docker traffic. In addition, the provided example also mounts /var/bigbluebutton with write permissions into the container, which should not be required. Future vulnerabilities in clamd may allow attackers to manipulate files in that folder. Users are unaffected unless they have opted in to follow the extra instructions from BigBlueButton's documentation. This issue has been fixed in version 3.0.22.

Mögliche Gegenmaßnahme

Server: Install latest version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version < 3.0.22

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemBigBlueButton

≫

Produkt Server

Version < 3.0.22

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.4%	0.313

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
security-advisories@github.com	7.2	3.9	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wmhx-qw2p-w6gc

Patch

Vendor Advisory

Exploit

https://github.com/bigbluebutton/bigbluebutton/commit/f3d33d94a9682e87c7d41f55700b19d61e1ab8b4

Patch

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wmhx-qw2p-w6gc

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-27466

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27466

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27466

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27466