An unauthenticated remote code execution vulnerability in Pi.Alert allows attackers to execute arbitrary commands by injecting code into the application configuration.

The configuration saving function fails to sanitize user-provided values before writing them to the configuration file, which is then executed by the system cron process.

With a CVSS score of 9.8, this vulnerability allows for full system compromise by an unauthenticated attacker. The ability to inject code that is executed periodically by the system daemon ensures persistent control and high impact on the host environment.

Immediate Action: Upgrade to Pi.Alert version 2026-05-07 or later to implement strict input validation for configuration values.

Proactive Monitoring: Audit the pialert.conf file for unauthorized modifications and monitor cron process activity for suspicious execution paths.

Compensating Controls: Enable web protection and restrict network access to the Pi.Alert web interface to prevent unauthenticated configuration changes.

Public Exploit Available: Unknown

This is a critical vulnerability that must be addressed immediately. Users should update the software and ensure that the web interface is not exposed to untrusted networks.