CVE-2026-44886
Description
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. From 2024-06-29 to before 2026-05-07, the web application endpoint is vulnerable to SQL injection. The /pialert/php/server/devices.php route accepts requests from unauthenticated users when the action URL parameter is set to getDevicesTotals. The scansource URL parameter is then injected in a SQL query. This vulnerability is fixed in 2026-05-07.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-44886? +
How do I check if I'm vulnerable to CVE-2026-44886? +
Related Vulnerabilities
Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.
ChurchCRM is an open-source church management system. Versions prior to 7.2.0 have SQL injection in FinancialService::getMemberByScanString() via unsanitized $routeAndAccount concatenated …
SQL injection vulnerability in Zeon Academy Pro by Zeon Global Tech. This vulnerability allows an attacker to retrieve, create, update, …
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the …
A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters …
Masa CMS is an open source content management system. In versions 7.5.2 and earlier, a SQL injection vulnerability exists in …