Pi.Alert versions prior to 2026-05-07 contain a critical unauthenticated remote code execution vulnerability in the SaveConfigFile() endpoint. The application writes user-supplied numeric configuration values directly into pialert.conf without validation. Because this configuration file is loaded via Python's exec() function every 3–5 minutes by a background cron process, an attacker can inject arbitrary [truncated]
Pi.Alert, a WIFI/LAN intruder detector with web service monitoring, contains a critical unauthenticated Remote Code Execution vulnerability in versions prior to 2026-05-07. The web-based configuration editor permits arbitrary Python code injection into pialert.conf, which the background scan daemon subsequently executes via Python's exec() function. With web protection disabled by default, no authenticati [truncated]
CVE-2026-44886 is a HIGH severity SQL injection vulnerability in Pi.Alert, a WIFI/LAN intruder detection and web service monitoring application. The vulnerability exists in the `/pialert/php/server/devices.php` endpoint, which accepts requests from unauthenticated users when the `action` URL parameter is set to `getDevicesTotals`. The `scansource` URL parameter is subsequently injected into a SQL query wi [truncated]
