How is CVE-2026-44886 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Pi.Alert web interface. Authentication (not-required): The getDevicesTotals action accepts requests from unauthenticated users, so no credentials or session token are needed. Victim interaction (not-required): The attacker sends crafted requests directly to the server; no user action or social engineering is involved. Attack complexity (info): Attack complexity is low: the injection point is straightforward and the exploit is reliable without needing specific timing, memory layout, or environmental conditions.

What is the impact of CVE-2026-44886?

An attacker reads stored device records, network scan results, and any other data persisted in the Pi.Alert database. Depending on database contents, stored credentials, API keys, or configuration values held in the application's tables are exposed. No integrity or availability impact is indicated by the CVSS vector; data is exposed but not modified or destroyed through this vector alone.

Back to search

HIGHCVE-2026-44886Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44886: Pi.Alert: Web Interface Vulnerable to Unauthenticated Blind SQL Injection

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Blind SQL injection in Pi.Alert's web interface allows an unauthenticated remote attacker to extract data from the application's database. The vulnerable endpoint, /pialert/php/server/devices.php, accepts requests without any login check when the action parameter is set to getDevicesTotals, and the scansource parameter is passed directly into a SQL query. Successful exploitation gives an attacker read access to stored data including device records and any other information held in the database. No fix version has been published upstream; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images derived from affected Pi.Alert versions. Any image containing a Pi.Alert build in the range 2024-06-29 to before 2026-05-07 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.7 HIGH using the published CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticket queue configured for the affected workload within each customer organization.

Available

Patch

Because no fix version has been published upstream, no patched-image rebuild is currently available. HarborGuard re-checks the Pi.Alert advisory on every ingest cycle and will make a patched rebuild available automatically the moment an upstream fix is released.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Pi.Alert web interface.
AuthenticationNot required
The getDevicesTotals action accepts requests from unauthenticated users, so no credentials or session token are needed.
Victim interactionNot required
The attacker sends crafted requests directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Attack complexity is low: the injection point is straightforward and the exploit is reliable without needing specific timing, memory layout, or environmental conditions.

Blast Radius

An attacker reads stored device records, network scan results, and any other data persisted in the Pi.Alert database.
Depending on database contents, stored credentials, API keys, or configuration values held in the application's tables are exposed.
No integrity or availability impact is indicated by the CVSS vector; data is exposed but not modified or destroyed through this vector alone.

How HarborGuard Handles This

Available on HarborGuard: detection of this CVE is active for all customer images containing affected Pi.Alert builds, with findings scored at 8.7 HIGH and routed according to each environment's compliance policy. Because no upstream fix exists yet, patched-image rebuilds are not currently available. In the interim, customers can apply compensating controls such as network-policy rules that restrict access to the Pi.Alert web interface to trusted internal addresses only, egress filtering to limit what the application process can reach, and WAF rules that block requests carrying SQL metacharacters in the scansource parameter. HarborGuard re-checks the advisory on every ingest cycle; for customers with auto-remediation enabled, a rebuilt image and a PR against affected workloads will be generated automatically once an upstream fix version is published.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

leiweibau / Pi.Alert
>= 2024-06-29, < 2026-05-07

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-m929-j7w8-334j