Pi.Alert exposes an unauthenticated remote code execution flaw through its SaveConfigFile() endpoint, which writes user‑supplied numeric configuration values directly into the pialert.conf file without validation. Because the configuration file is subsequently executed by Python’s exec() function every 3–5 minutes by a background cron process, an attacker can inject arbitrary Python code and gain full OS‑level control on machines that run the vulnerable version. The issue is rooted in failure to validate or sanitize user input before it reaches a code‑execution context (CWE‑94).

The vulnerability affects the Pi.Alert product developed by leiweibau. Prior to the 2026‑05‑07 release, any installation that had its web protection disabled (PIALERT_WEB_PROTECTION = False) was susceptible to exploitation. No specific version numbers are listed in the advisory except that the fix was included in the 2026‑05‑07 update.

The CVSS score of 9.8 indicates a critical severity, and the vulnerability is marked as unauthenticated, which means any local or remote user can exploit it without credentials. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Based on the information, the likely attack vector is submitting a crafted numeric value to SaveConfigFile() on a host that runs the impacted Pi.Alert version. If the exploit succeeds, the attacker can execute arbitrary code with the privileges of the process that runs the cron task, effectively compromising the entire host.