cvedb.io
CVE-2026-22800
LOW · CVSS 2.4
EPSS exploitation probability: 0%
Published 2026-01-12T23:15:52.747 · Last modified 2026-06-17T10:20:27.217

Summary

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminat

Affected products

thm — pilos

Does this affect you?

Add your gear to cvedb and we'll alert you only when thm ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.