PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44886 leiweibau CVE debrief

CVE-2026-44886 is a HIGH severity SQL injection vulnerability in Pi.Alert, a WIFI/LAN intruder detection and web service monitoring application. The vulnerability exists in the `/pialert/php/server/devices.php` endpoint, which accepts requests from unauthenticated users when the `action` URL parameter is set to `getDevicesTotals`. The `scansource` URL parameter is subsequently injected into a SQL query without proper sanitization, allowing attackers to execute arbitrary SQL commands. The vulnerability affects versions from 2024-06-29 through 2026-05-06, with a fix released on 2026-05-07. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and high confidentiality impact. The vulnerability is classified under CWE-89 (SQL Injection).

Vendor
leiweibau
Product
Pi.Alert
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-28
Advisory published
2026-05-27
Advisory updated
2026-05-28

Who should care

Organizations running Pi.Alert for network monitoring and intrusion detection, particularly those with externally accessible web interfaces. Security teams responsible for vulnerability management and patch deployment for network security tools.

Technical summary

Unauthenticated SQL injection in Pi.Alert devices.php via scansource parameter when action=getDevicesTotals. CVSS 8.7 HIGH. Fixed 2026-05-07.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Pi.Alert to version released on or after 2026-05-07
  • If immediate patching is not possible, restrict network access to the Pi.Alert web interface to trusted administrative hosts only
  • Monitor web server logs for suspicious requests to /pialert/php/server/devices.php containing SQL injection patterns in the scansource parameter
  • Review database access logs for unauthorized query execution
  • Implement Web Application Firewall (WAF) rules to block requests with malicious scansource parameter values

Evidence notes

Vulnerability confirmed via GitHub Security Advisory GHSA-m929-j7w8-334j. Affected endpoint: /pialert/php/server/devices.php with action=getDevicesTotals parameter. Injection point: scansource parameter. Fix date: 2026-05-07.

Official resources

2026-05-27