An unauthenticated remote code execution vulnerability in Pi.Alert allows attackers to execute arbitrary commands by injecting malicious code into the configuration file.

The web-based configuration editor fails to sanitize user input, allowing an attacker to inject Python code into pialert.conf, which is subsequently executed by the background daemon with elevated privileges.

With a CVSS score of 9.8, this flaw allows for complete system compromise by an unauthenticated attacker. The ability to execute arbitrary code as the daemon process grants the attacker full control over the host system, leading to data theft, persistent backdoors, and lateral movement.

Immediate Action: Upgrade to Pi.Alert version 2026-05-07 or later immediately to implement proper input validation.

Proactive Monitoring: Inspect pialert.conf for any unexpected or obfuscated Python code segments and review system logs for unauthorized daemon activity.

Compensating Controls: Ensure web protection is enabled and strictly limit access to the web interface via VPN or IP-based access control lists (ACLs).

Public Exploit Available: Unknown

This vulnerability is extremely severe due to the ease of exploitation and the resulting full system compromise. Immediate patching is non-negotiable for any publicly accessible Pi.Alert instance.