Education — virtual-classroom platforms and EdTech SaaS exposure

BigBlueButton — the open-source virtual-classroom platform deployed across German DFN, Swiss SWITCH and pan-European GÉANT academic networks, including cantonal school deployments — disclosed three flaws (weak session-token randomness, API checksum bypass, SSRF) in bbb-web < 3.0.21 / < 3.0.23 (daily 2026-05-19). In parallel, 7-Eleven became the latest named victim of the ShinyHunters Salesforce campaign that also claimed Instructure/Canvas (§ 5) — keeping EdTech SaaS supply-chain exposure live for the universities and cantonal education directorates that depend on these platforms. Patch BigBlueButton to the fixed branches and re-audit Canvas/Instructure-connected OAuth scopes.