Skip to main content

Pi.Alert CVE-2026-44886

| EUVDEUVD-2026-32636 HIGH
SQL Injection (CWE-89)
2026-05-27 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 27, 2026 - 21:26 vuln.today
Patch available
May 27, 2026 - 21:04 EUVD
CVSS changed
May 27, 2026 - 20:22 NVD
8.7 (HIGH)

DescriptionGitHub Advisory

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07.

AnalysisAI

Unauthenticated SQL injection in Pi.Alert (a WiFi/LAN intruder detection and web-service monitoring tool by leiweibau) lets remote attackers manipulate backend database queries through the public devices.php endpoint. The flaw affects builds from 2024-06-29 up to the 2026-05-07 fix, and the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms it is trivially reachable over the network with no authentication or user interaction, while the high-confidentiality / no-integrity / no-availability impact (VC:H/VI:N/VA:N) indicates the primary risk is database disclosure. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was provided in the source data.

Technical ContextAI

Pi.Alert is a PHP-based network monitoring application (CPE cpe:2.3:a:leiweibau:pi.alert) that tracks devices on a WiFi/LAN and stores results in a backend SQL database. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the route /pialert/php/server/devices.php exposes an action handler, and when invoked with the URL parameter action=getDevicesTotals it processes requests without requiring authentication. The value of the scansource URL parameter is concatenated directly into a SQL query rather than being bound as a parameter or sanitized, allowing an attacker to alter the query's logic. Because this code path is intended to return device totals, the underlying query is read-oriented, which aligns with the CVSS confidentiality-only impact.

RemediationAI

Upgrade Pi.Alert to the 2026-05-07 fixed release, which the vendor advisory (GHSA-m929-j7w8-334j) confirms remediates the issue - patch available per vendor advisory. Review that advisory at https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-m929-j7w8-334j for upgrade instructions and confirm the installed build is dated 2026-05-07 or later. If immediate patching is not possible, place the Pi.Alert web interface behind authentication via a reverse proxy and restrict network access so only trusted management hosts can reach it (trade-off: breaks any unauthenticated automation or dashboards that rely on direct access); additionally, block or filter external access to the /pialert/php/server/devices.php endpoint at the proxy/WAF layer, and ensure the application is not exposed to the internet - bind it to the internal management network only. These controls reduce the reachable attack surface without altering application logic, but they do not fix the underlying injection, so upgrading remains the only complete remedy.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-44886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy