CVE-2026-44886
BaseFortify
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leiweibau | pi.alert | From 2024-06-29 (inc) to 2026-05-07 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Pi.Alert web application, which is a WIFI / LAN intruder detector with web service monitoring. Specifically, the endpoint /pialert/php/server/devices.php is vulnerable to SQL injection when the action URL parameter is set to getDevicesTotals. In this case, the scansource URL parameter is injected directly into a SQL query without proper sanitization. This allows unauthenticated users to potentially manipulate the database query.
How can this vulnerability impact me? :
The SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the backend database. Since the endpoint accepts requests from unauthenticated users, this could lead to unauthorized data access, data modification, or even deletion. The impact could include data breaches, loss of data integrity, and potential disruption of the Pi.Alert service.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable endpoint `/pialert/php/server/devices.php` especially when the `action` parameter is set to `getDevicesTotals`.
Implement authentication checks to ensure only authorized users can access this endpoint.
Apply input validation and use parameterized queries or prepared statements to prevent SQL injection.
If possible, update the Pi.Alert application to the fixed version released on or after 2026-05-07 where this vulnerability is resolved.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to perform blind SQL injection on the Pi.Alert web application, enabling them to dump all data from the database without authentication, even if password protection is enabled.
Such unauthorized data access and exfiltration can lead to exposure of sensitive personal or protected health information, which would violate data protection requirements under regulations like GDPR and HIPAA.
Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that mandate protection of sensitive data and prevention of unauthorized access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint `/pialert/php/server/devices.php` with the URL parameter `action=getDevicesTotals` and injecting SQL payloads into the `scansource` parameter to observe if SQL injection is possible.
For example, you can use curl commands to test for SQL injection by sending requests with typical SQL injection payloads in the scansource parameter and checking the response for anomalies or error messages.
- curl -G 'http://<target>/pialert/php/server/devices.php' --data-urlencode 'action=getDevicesTotals' --data-urlencode "scansource=' OR '1'='1"
- curl -G 'http://<target>/pialert/php/server/devices.php' --data-urlencode 'action=getDevicesTotals' --data-urlencode "scansource=' UNION SELECT NULL--"
If the server responds with data or error messages indicating SQL syntax issues or unexpected data, it suggests the presence of SQL injection vulnerability.