Description
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0.
Published: 2026-01-12
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A CSRF vulnerability in the administrative API of the PILOS platform allows the deletion of all active video conferences when the endpoint is invoked via an HTTP GET request. Because the performed action is destructive, any accidental or malicious trigger can suspend all ongoing meetings, leading to a significant disruption of service availability. The weakness is identified as a request forgery flaw (CWE-352).

Affected Systems

The flaw exists in THM‑Health PILOS versions earlier than 4.10.0, which are used as frontends for BigBlueButton. Administrators with authenticated access to the application can potentially trigger the endpoint by viewing crafted content that invokes the GET URL within the application context.

Risk and Exploitability

The CVSS score is 2.4, indicating a low severity. The EPSS score is below 1 %, suggesting a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need an authenticated administrator to view crafted content within the same site, which would trigger the same‑site GET request to the termination endpoint. The endpoint is protected against cross‑site requests and requires administrative access, so the attack relies on a single administrator session. The impact is limited to the server’s active conferences; however, terminating all meetings simultaneously can disrupt service.

Generated by OpenCVE AI on April 18, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to update PILOS to version 4.10.0 or later.
  • Ensure the termination endpoint uses a non‑GET method and requires a CSRF token—modify the server‑side code or configuration to enforce POST/DELETE and validate anti‑CSRF tokens.
  • Restrict the loading of external or embedded content in the admin interface to prevent same‑site requests that could unintentionally trigger the endpoint (e.g., disable iframes or external script loading within admin pages).

Generated by OpenCVE AI on April 18, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Thm
Thm pilos
Vendors & Products Thm
Thm pilos

Mon, 12 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Description PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0.
Title PILOS affected by a CSRF via GET request allows unintentional termination of all active video conferences
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Thm Pilos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T19:08:05.046Z

Reserved: 2026-01-09T22:50:10.287Z

Link: CVE-2026-22800

cve-icon Vulnrichment

Updated: 2026-01-13T14:14:08.035Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-12T23:15:52.747

Modified: 2026-01-21T18:42:22.607

Link: CVE-2026-22800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses