Pi.Alert Unauthenticated Remote Code Execution Vulnerability via Python Config Injection

A remote code execution vulnerability has been identified in Pi.Alert, a WiFi/LAN intruder detection system, prior to May 7, 2026. The issue arises in the web-based configuration editor, which allows arbitrary Python code to be injected into the 'pialert.conf' file. The background scan daemon executes this file using Python's 'exec()' function, running the injected code as the daemon process. With web protection turned off by default, this vulnerability can be exploited without authentication.

Impact

Exploitation of this vulnerability allows for unauthenticated remote execution of arbitrary OS commands as the Pi.Alert scan daemon, which typically runs with root privileges. This could lead to a complete compromise of the affected system.

Reproduction

To reproduce this vulnerability, first disable the web protection feature in Pi.Alert's default configuration. Then, access the 'front/index.php' page to initiate a session, which automatically sets the login session variable for any visitor. After obtaining the session, send a POST request to 'front/php/server/files.php' with the 'SaveConfigFile' action. Include a payload in the 'DB_PATH' configuration key that executes a command, such as 'id', using Python's 'os' module. The injected command will be executed by the scan daemon in the next scan cycle, which occurs every few minutes.

Remediation

Users are advised to update to the version released on May 7, 2026, which addresses this vulnerability.