CVE-2026-22800

Name of the Vulnerable Software and Affected Versions PILOS versions prior to 4.10.0

Description PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. A Cross-Site Request Forgery (CSRF) issue exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint, exposed via an HTTP GET request, performs a destructive action. While authorization checks are in place, the use of a GET request allows implicit invocation through same-site content. An authenticated administrator viewing crafted content within the application may unknowingly trigger the endpoint, terminating all active video conferences without explicit intent. The vulnerable endpoint is an administrative API endpoint.

Recommendations Update to version 4.10.0 or later.