Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is required, making this an unauthenticated Remote Code Execution vulnerability. This vulnerability is fixed in 2026-05-07.
AnalysisAI
Unauthenticated remote code execution affects Pi.Alert, an open-source WiFi/LAN intruder detector with web-based service monitoring, in all versions prior to the 2026-05-07 release. The web configuration editor writes attacker-controlled content into pialert.conf, which the background scan daemon subsequently evaluates with Python's exec(), so injected statements run with the daemon's privileges. Because the product ships with web protection disabled by default, an attacker reaching the web interface needs no credentials, yielding a CVSS 9.8 critical flaw; no public exploit identified at time of analysis.
Technical ContextAI
Pi.Alert (vendor 'leiweibau', CPE cpe:2.3:a:leiweibau:pi.alert) is a Python-based network monitoring tool that stores its runtime settings in a plaintext configuration file, pialert.conf. Rather than parsing that file as inert data, the scanning daemon loads it through Python's exec() built-in, meaning the file's contents are treated as executable source. The web-based configuration editor lets users edit this file, so any value written there becomes code the daemon later runs. This maps directly to CWE-94 (Improper Control of Generation of Code, 'Code Injection'): the root cause is mixing a trusted code path (exec) with attacker-influenceable input (config fields) instead of using a safe key/value parser such as configparser or ast.literal_eval.
RemediationAI
Vendor-released patch: upgrade to the Pi.Alert release dated 2026-05-07 or later, as documented in advisory GHSA-r59g-5wf9-f7vv (https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-r59g-5wf9-f7vv). If immediate patching is not possible, enable Pi.Alert's web protection (authentication) feature, which is disabled by default - this restores the authentication requirement and removes the unauthenticated attack path, at the cost of requiring login for legitimate admins. As an additional compensating control, restrict network access to the Pi.Alert web interface to trusted management hosts via firewall rules or by binding it to localhost/a management VLAN, accepting the trade-off that remote administration becomes unavailable. Avoid exposing the configuration editor to untrusted networks under any circumstances until patched.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32635