EUVD-2026-32634CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3-5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07.
AnalysisAI
Unauthenticated remote code execution affects Pi.Alert, a Python-based Wi-Fi/LAN intruder detector, in all releases prior to the 2026-05-07 fix. The web UI's SaveConfigFile() endpoint writes attacker-supplied numeric configuration values such as SMTP_PORT into pialert.conf with no validation, and because that file is reloaded via Python's exec() by a background cron job every 3-5 minutes, injected Python executes at the OS level. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Pi.Alert installations; if PIALERT_WEB_PROTECTION is disabled or unknown, immediately restrict network access to the web UI or take the service offline. Within 7 days: Apply vendor patch released 2026-05-07 to all instances; verify PIALERT_WEB_PROTECTION=True is set in pialert.conf. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today