CVE-2026-44886

Deferred Deferred - Pending Action

SQL Injection in Pi.Alert Web Application

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: GitHub, Inc.

Description

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-27

Last Modified

2026-05-28

Generated

2026-06-17

AI Q&A

2026-05-27

EPSS Evaluated

2026-06-15

NVD

CVE-2026-44886

EUVD

EUVD-2026-32636

Affected Vendors & Products

Vendor	Product	Version / Range
leiweibau	pi.alert	From 2024-06-29 (inc) to 2026-05-07 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

This vulnerability affects the Pi.Alert web application, which is a WIFI / LAN intruder detector with web service monitoring. Specifically, the endpoint /pialert/php/server/devices.php is vulnerable to SQL injection when the action URL parameter is set to getDevicesTotals. In this case, the scansource URL parameter is injected directly into a SQL query without proper sanitization. This allows unauthenticated users to potentially manipulate the database query.

Impact Analysis

The SQL injection vulnerability can allow attackers to execute arbitrary SQL commands on the backend database. Since the endpoint accepts requests from unauthenticated users, this could lead to unauthorized data access, data modification, or even deletion. The impact could include data breaches, loss of data integrity, and potential disruption of the Pi.Alert service.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint `/pialert/php/server/devices.php` especially when the `action` parameter is set to `getDevicesTotals`.

Implement authentication checks to ensure only authorized users can access this endpoint.

Apply input validation and use parameterized queries or prepared statements to prevent SQL injection.

If possible, update the Pi.Alert application to the fixed version released on or after 2026-05-07 where this vulnerability is resolved.

Compliance Impact

This vulnerability allows unauthenticated attackers to perform blind SQL injection on the Pi.Alert web application, enabling them to dump all data from the database without authentication, even if password protection is enabled.

Such unauthorized data access and exfiltration can lead to exposure of sensitive personal or protected health information, which would violate data protection requirements under regulations like GDPR and HIPAA.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that mandate protection of sensitive data and prevention of unauthorized access.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the vulnerable endpoint `/pialert/php/server/devices.php` with the URL parameter `action=getDevicesTotals` and injecting SQL payloads into the `scansource` parameter to observe if SQL injection is possible.

For example, you can use curl commands to test for SQL injection by sending requests with typical SQL injection payloads in the scansource parameter and checking the response for anomalies or error messages.

curl -G 'http://<target>/pialert/php/server/devices.php' --data-urlencode 'action=getDevicesTotals' --data-urlencode "scansource=' OR '1'='1"
curl -G 'http://<target>/pialert/php/server/devices.php' --data-urlencode 'action=getDevicesTotals' --data-urlencode "scansource=' UNION SELECT NULL--"

If the server responds with data or error messages indicating SQL syntax issues or unexpected data, it suggests the presence of SQL injection vulnerability.

Hi! I’m here to help you understand CVE-2026-44886. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-44886

SQL Injection in Pi.Alert Web Application

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart