CVE-2026-30930
published 2026-03-10CVE-2026-30930: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.36%
28.2th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.1+dfsg-1 (forky) | glances 4.5.1+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.1+dfsg-1 | 4.5.1+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.1 | 4.5.1 |
| nicolargo | glances | < 4.5.1 | 4.5.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.6HIGH
vendor_debian8.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-30930: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1,...
vendor_debian·2026·CVSS 8.6
CVE-2026-30930 [HIGH] CVE-2026-30930: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1,...
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Scope: local
bookworm: resolved
forky: resolved (fixed in 4.5.1+dfsg-1)
sid: resolved (fixed in 4.5.1+dfsg-1)
trixie: resolved
OSV
CVE-2026-30930: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-10·CVSS 8.6
CVE-2026-30930 [HIGH] CVE-2026-30930: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
GHSA
Glances has SQL Injection via Process Names in TimescaleDB Export
ghsa·2026-03-09
CVE-2026-30930 [HIGH] CWE-89 Glances has SQL Injection via Process Names in TimescaleDB Export
Glances has SQL Injection via Process Names in TimescaleDB Export
### Summary
The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.
Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.
#### Affected Code
- _File: glances/exports/glances_timescale
OSV
Glances has SQL Injection via Process Names in TimescaleDB Export
osv·2026-03-09
CVE-2026-30930 [HIGH] Glances has SQL Injection via Process Names in TimescaleDB Export
Glances has SQL Injection via Process Names in TimescaleDB Export
### Summary
The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.
Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.
#### Affected Code
- _File: glances/exports/glances_timescale
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [fedora-all]
bugzilla·2026-03-10·CVSS 9.8
CVE-2026-30930 [CRITICAL] CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [fedora-all]
CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [epel-all]
bugzilla·2026-03-10·CVSS 9.8
CVE-2026-30930 [CRITICAL] CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [epel-all]
CVE-2026-30930 glances: SQL injection via process names in TimescaleDB export [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-30930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-30930 [HIGH] CVE-2026-30930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30930 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Source : NVD
## 8.6
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
2026-03-10
Published