PatchSiren cyber security CVE debrief
CVE-2026-44888 leiweibau CVE debrief
Pi.Alert versions prior to 2026-05-07 contain a critical unauthenticated remote code execution vulnerability in the SaveConfigFile() endpoint. The application writes user-supplied numeric configuration values directly into pialert.conf without validation. Because this configuration file is loaded via Python's exec() function every 3–5 minutes by a background cron process, an attacker can inject arbitrary Python code that executes with OS-level privileges. On default installations where PIALERT_WEB_PROTECTION is set to False, no authentication is required to exploit this vulnerability. The CVSS 3.1 score of 9.8 reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code). The fix was released on 2026-05-07.
- Vendor
- leiweibau
- Product
- Pi.Alert
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations running Pi.Alert for network monitoring and intrusion detection, particularly those with internet-exposed or internally accessible administrative interfaces. Security teams responsible for network monitoring infrastructure and small-to-medium business environments where Pi.Alert may be deployed with default configurations.
Technical summary
The SaveConfigFile() function in Pi.Alert accepts numeric configuration values from HTTP requests and writes them unsanitized into pialert.conf. The background cron process reloads this file using Python's exec(), which evaluates the file contents as executable code. An attacker can supply malicious Python code disguised as a numeric value (e.g., SMTP_PORT) to achieve arbitrary code execution. The 3–5 minute cron interval provides a reliable execution window. Default installations lack web protection, enabling unauthenticated exploitation.
Defensive priority
critical
Recommended defensive actions
- Upgrade Pi.Alert to version 2026-05-07 or later immediately
- If immediate patching is not possible, enable PIALERT_WEB_PROTECTION to require authentication for configuration changes
- Review pialert.conf for unauthorized modifications indicating potential compromise
- Monitor cron job execution logs for anomalous Python code execution
- Restrict network access to Pi.Alert administrative interfaces to trusted hosts only
- Implement file integrity monitoring on pialert.conf to detect unauthorized changes
Evidence notes
Vulnerability description and technical details sourced from official CVE record and NVD entry published 2026-05-27. Advisory reference confirms vendor acknowledgment and fix date. CVSS vector and CWE classification derived from NVD source data.
Official resources
-
CVE-2026-44888 CVE record
CVE.org
-
CVE-2026-44888 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27