Plattform
other
Komponente
pilos
Behoben in
4.10.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PILOS, the frontend for BigBlueButton, affecting versions up to 4.10.0. This vulnerability exists in an administrative API endpoint used to terminate all active video conferences on a server. While authorization checks are in place, the use of an HTTP GET request for this destructive action allows for implicit invocation through same-site content, potentially leading to unintended conference terminations.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized termination of all active video conferences on a PILOS server. An attacker could leverage this to disrupt ongoing sessions, potentially impacting educational institutions, online training programs, or any organization utilizing BigBlueButton for live online seminars. While the endpoint requires proper authorization, the GET request method allows for implicit triggering through embedded resources or other same-site content, bypassing typical CSRF protections that rely on POST requests. This could lead to denial of service and disruption of critical online events.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate exploitation. The vulnerability was disclosed on 2026-01-12. Given the relatively low CVSS score and the requirement for same-site content manipulation, the risk of widespread exploitation is considered moderate.
Organizations utilizing PILOS as a frontend for BigBlueButton, particularly those with legacy configurations or shared hosting environments, are at risk. Educational institutions, online training providers, and any entity relying on BigBlueButton for live online seminars should prioritize upgrading to the patched version.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-22800 is to upgrade PILOS to version 4.10.0 or later, which addresses the vulnerability. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed within the PILOS application. This can help prevent malicious scripts from triggering the vulnerable endpoint. Additionally, review and strengthen server-side input validation to ensure that requests are properly authenticated and authorized before executing any destructive actions. After upgrading, confirm the fix by attempting to trigger the administrative endpoint from a different origin and verifying that the action is blocked.
Actualice PILOS a la versión 4.10.0 o superior. Esta versión corrige la vulnerabilidad CSRF que permite la terminación no intencionada de videoconferencias. La actualización previene que un administrador autenticado, al visualizar contenido malicioso, active accidentalmente la terminación de todas las videoconferencias activas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22800 is a Cross-Site Request Forgery (CSRF) vulnerability in PILOS versions up to 4.10.0, allowing attackers to potentially terminate all active video conferences on a server via a GET request.
You are affected if you are using PILOS versions 4.10.0 or earlier. Upgrade to 4.10.0 to mitigate the risk.
Upgrade PILOS to version 4.10.0 or later. As a temporary workaround, implement strict Content Security Policy (CSP) headers.
There are currently no reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the PILOS project's official security advisories for the most up-to-date information and guidance.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.