Platform
other
Component
pilos
Fixed in
4.10.1
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PILOS, the frontend for BigBlueButton, affecting versions up to 4.10.0. This vulnerability exists in an administrative API endpoint used to terminate all active video conferences on a server. While authorization checks are in place, the use of an HTTP GET request for this destructive action allows for implicit invocation through same-site content, potentially leading to unintended conference terminations.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized termination of all active video conferences on a PILOS server. An attacker could leverage this to disrupt ongoing sessions, potentially impacting educational institutions, online training programs, or any organization utilizing BigBlueButton for live online seminars. While the endpoint requires proper authorization, the GET request method allows for implicit triggering through embedded resources or other same-site content, bypassing typical CSRF protections that rely on POST requests. This could lead to denial of service and disruption of critical online events.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate exploitation. The vulnerability was disclosed on 2026-01-12. Given the relatively low CVSS score and the requirement for same-site content manipulation, the risk of widespread exploitation is considered moderate.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-22800 is to upgrade PILOS to version 4.10.0 or later, which addresses the vulnerability. As a temporary workaround, consider implementing strict Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed within the PILOS application. This can help prevent malicious scripts from triggering the vulnerable endpoint. Additionally, review and strengthen server-side input validation to ensure that requests are properly authenticated and authorized before executing any destructive actions. After upgrading, confirm the fix by attempting to trigger the administrative endpoint from a different origin and verifying that the action is blocked.
Update PILOS to version 4.10.0 or higher. This version corrects the CSRF vulnerability that allows unintentional termination of video conferences. The update prevents an authenticated administrator, when viewing malicious content, from accidentally triggering the termination of all active video conferences.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22800 is a Cross-Site Request Forgery (CSRF) vulnerability in PILOS versions up to 4.10.0, allowing attackers to potentially terminate all active video conferences on a server via a GET request.
You are affected if you are using PILOS versions 4.10.0 or earlier. Upgrade to 4.10.0 to mitigate the risk.
Upgrade PILOS to version 4.10.0 or later. As a temporary workaround, implement strict Content Security Policy (CSP) headers.
There are currently no reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the PILOS project's official security advisories for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.