VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 27, 2026

CVE-2026-44887

CVE-2026-44887

Description

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is required, making this an unauthenticated Remote Code Execution vulnerability. This vulnerability is fixed in 2026-05-07.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pi.Alert before 2026-05-07 allows unauthenticated remote code execution via Python code injection in its configuration file.

Vulnerability

Pi.Alert prior to the 2026-05-07 fix contains an unauthenticated remote code execution vulnerability in its web-based configuration editor. The SaveConfigFile action in front/php/server/files.php writes user-supplied key-value pairs into config/pialert.conf. Two keys, DB_PATH and LOG_PATH, are written without surrounding quotes, allowing arbitrary Python code to be injected. The background scan daemon (back/pialert.py) loads this configuration file using Python's exec(), so any injected code is executed [1].

Exploitation

With web protection disabled (the default configuration, where PIALERT_WEB_PROTECTION is False), no authentication is required. An attacker can obtain a session by visiting front/index.php and then send a crafted POST request to front/php/server/files.php with action=SaveConfigFile and a configfile parameter containing malicious Python code. On the next scan cycle (typically every few minutes), the daemon executes the injected code [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary OS commands as the scan daemon process, which often runs with root privileges. This leads to full system compromise, including data disclosure, modification, and denial of service [1].

Mitigation

The vulnerability is fixed in the 2026-05-07 release. Users should update to this version or later. If immediate updating is not possible, enabling web protection by setting PIALERT_WEB_PROTECTION = True in pialert.conf provides a partial mitigation, though updating is strongly recommended [1].

References
  1. Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Leiweibau/Pi.alertinferred2 versions
    <2026-05-07+ 1 more
    • (no CPE)range: <2026-05-07
    • (no CPE)range: < 2026-05-07

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in SaveConfigFile allows arbitrary Python code injection into a config file that is loaded via Python's exec()."

Attack vector

An unauthenticated attacker first obtains a session by visiting `front/index.php`; because `PIALERT_WEB_PROTECTION` defaults to `False`, `index.php` auto-sets `$_SESSION['login'] = 1` for any visitor, granting full access to `files.php` [ref_id=1]. The attacker then sends a POST request to `front/php/server/files.php` with `action=SaveConfigFile` and a `configfile` parameter containing a payload such as `DB_PATH=__import__("os").system("id")` [ref_id=1]. The server writes this unquoted value into `pialert.conf`. On the next scan cycle, the daemon calls `exec(open(pialert.conf).read())`, executing the injected Python code as the daemon process (typically root) [ref_id=1].

Affected code

The vulnerability resides in `front/php/server/files.php`, specifically the `SaveConfigFile` action (lines 636–641), which writes user-supplied config values for `DB_PATH` and `LOG_PATH` into `config/pialert.conf` without surrounding quotes [ref_id=1]. The background scan daemon (`back/pialert.py`, line 52) loads this file via Python's `exec()`, so any Python code injected into the config file executes as the daemon process [ref_id=1].

What the fix does

The advisory states the vulnerability is fixed in the 2026-05-07 release, but no patch diff is included in the bundle [ref_id=1]. The advisory's remediation guidance implicitly requires that `SaveConfigFile` either sanitize or quote user-supplied values before writing them to `pialert.conf`, and that the config file should not be loaded via `exec()` [ref_id=1]. Without a patch, the exact code change cannot be described; the fix likely involves adding quotes around written values or switching to a safe config parser.

Preconditions

  • configPIALERT_WEB_PROTECTION must be False (the default configuration)
  • networkAttacker must be able to reach the Pi.Alert web interface over the network
  • authNo authentication required because web protection is disabled by default
  • inputAttacker supplies arbitrary Python code via the configfile POST parameter

Reproduction

Step 1: Obtain a session cookie by visiting `curl -c cookies.txt http://

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.