Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0.

INFO

Published Date :

2026-01-12T22:09:56.779Z

Last Modified :

2026-01-12T22:09:56.779Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22800 vulnerability.

Vendors Products
Thm
  • Pilos
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22800.

URL Resource
https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b cve-icon cve-icon
https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact