Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-44888: Pi.Alert SaveConfigFile() allows arbitrary code execution
CVE-2026-44888
Summary
An attacker can inject malicious code into Pi.Alert's configuration file, potentially allowing them to execute commands on the device. This is particularly concerning because some Pi.Alert installations do not require a password. To protect your device, update to the latest version of Pi.Alert, released after 2026-05-07.
Original title
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) direct...
Original description
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into
pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3–5 minutes by the
background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On
default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07.
pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3–5 minutes by the
background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On
default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07.
nvd CVSS3.1
9.8
Vulnerability type
CWE-94
Code Injection
Published: 27 May 2026 · Updated: 28 May 2026 · First seen: 27 May 2026