{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-15T18:01:38.943","vulnerabilities":[{"cve":{"id":"CVE-2026-22800","sourceIdentifier":"security-advisories@github.com","published":"2026-01-12T23:15:52.747","lastModified":"2026-01-21T18:42:22.607","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery (CSRF) vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs a destructive action but is exposed via an HTTP GET request. Although proper authorization checks are enforced and the endpoint cannot be triggered cross-site, the use of GET allows the action to be implicitly invoked through same-site content (e.g. embedded resources rendered within the application). As a result, an authenticated administrator who views crafted content within the application may unknowingly trigger the endpoint, causing all active video conferences on the server to be terminated without explicit intent or confirmation. This vulnerability is fixed in 4.10.0."},{"lang":"es","value":"PILOS (Plataforma para Seminarios Interactivos en Vivo en Línea) es un frontend para BigBlueButton. Antes de la versión 4.10.0, existe una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en un endpoint de API administrativo responsable de terminar todas las videoconferencias activas en un único servidor. El endpoint afectado realiza una acción destructiva pero está expuesto a través de una petición HTTP GET. Aunque se aplican comprobaciones de autorización adecuadas y el endpoint no puede ser activado de forma cruzada, el uso de GET permite que la acción sea invocada implícitamente a través de contenido del mismo sitio (por ejemplo, recursos incrustados renderizados dentro de la aplicación). Como resultado, un administrador autenticado que visualice contenido malicioso dentro de la aplicación podría activar el endpoint sin saberlo, provocando que todas las videoconferencias activas en el servidor sean terminadas sin intención explícita o confirmación. Esta vulnerabilidad está corregida en la versión 4.10.0."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L","baseScore":2.4,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW"},"exploitabilityScore":0.9,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H","baseScore":4.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":0.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*","versionEndExcluding":"4.10.0","matchCriteriaId":"22DA1502-AFE6-4A80-B427-161C9B7726EB"}]}]}],"references":[{"url":"https://github.com/THM-Health/PILOS/commit/d9ab9bb7ac0a8581c25e24cb7db2152d40be4d1b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/THM-Health/PILOS/security/advisories/GHSA-r24c-9p4j-rqw9","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}