CVE-2026-22800

MEDIUM EPSS 2.7%
Published Jan 12, 20265mo ago · Modified Jun 17, 20262w ago
4.5 CVSS 3.1
Medium
Find Similar
Published Jan 12, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0.

CVSS Details

Base Score
4.5
Exploitability
0.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
2.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-352 Cross-Site Request Forgery (CSRF) Authentication

Affected Products 1

VendorProductVersionRange
thmpilos* <4.10.0

References 2

  • github.com https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b
    Patch
  • github.com https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9
    Third Party Advisory

Remediation

  • github.com https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b
    Patch