Scan free
LOWCVE-2026-22800CVSS 2.4

CVE-2026-22800: CSRF in PILOS BigBlueButton Frontend

Platform

other

Component

pilos

Fixed in

4.10.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PILOS, the frontend for BigBlueButton, affecting versions up to 4.10.0. This vulnerability exists in an administrative API endpoint used to terminate all active video conferences on a server. While authorization checks are in place, the use of an HTTP GET request for this destructive action allows for implicit invocation through same-site content, potentially leading to unintended conference terminations.

Impact and Attack Scenarios

The primary impact of this CSRF vulnerability lies in the potential for unauthorized termination of all active video conferences on a PILOS server. An attacker could leverage this to disrupt ongoing sessions, potentially impacting educational institutions, online training programs, or any organization utilizing BigBlueButton for live online seminars. While the endpoint requires proper authorization, the GET request method allows for implicit triggering through embedded resources or other same-site content, bypassing typical CSRF protections that rely on POST requests. This could lead to denial of service and disruption of critical online events.

Exploitation Context

This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate exploitation. The vulnerability was disclosed on 2026-01-12. Given the relatively low CVSS score and the requirement for same-site content manipulation, the risk of widespread exploitation is considered moderate.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.02% (5% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentpilos
VendorTHM-Health
Affected rangeFixed in
< 4.10.0 – < 4.10.04.10.1

Weakness Classification (CWE)

CWE-352

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The recommended mitigation for CVE-2026-22800 is to upgrade PILOS to version 4.10.0 or later, which addresses the vulnerability. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed within the PILOS application. This can help prevent malicious scripts from triggering the vulnerable endpoint. Additionally, review and strengthen server-side input validation to ensure that requests are properly authenticated and authorized before executing any destructive actions. After upgrading, confirm the fix by attempting to trigger the administrative endpoint from a different origin and verifying that the action is blocked.

How to fix

Update PILOS to version 4.10.0 or higher. This version corrects the CSRF vulnerability that allows unintentional termination of video conferences. The update prevents an authenticated administrator, when viewing malicious content, from accidentally triggering the termination of all active video conferences.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-22800 — CSRF in PILOS BigBlueButton Frontend?

CVE-2026-22800 is a Cross-Site Request Forgery (CSRF) vulnerability in PILOS versions up to 4.10.0, allowing attackers to potentially terminate all active video conferences on a server via a GET request.

Am I affected by CVE-2026-22800 in PILOS BigBlueButton Frontend?

You are affected if you are using PILOS versions 4.10.0 or earlier. Upgrade to 4.10.0 to mitigate the risk.

How do I fix CVE-2026-22800 in PILOS BigBlueButton Frontend?

Upgrade PILOS to version 4.10.0 or later. As a temporary workaround, implement strict Content Security Policy (CSP) headers.

Is CVE-2026-22800 being actively exploited?

There are currently no reports of active exploitation, but the vulnerability remains a potential risk.

Where can I find the official PILOS advisory for CVE-2026-22800?

Refer to the PILOS project's official security advisories for the most up-to-date information and guidance.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs