CVE-2026-32608
published 2026-03-18CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when…
PriorityP338high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EPSS
0.24%
15.3th percentile
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
osv7.0HIGH
vendor_debian7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-32608: glances - Glances is an open-source system cross-platform monitoring tool. The Glances act...
vendor_debian·2026·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608: glances - Glances is an open-source system cross-platform monitoring tool. The Glances act...
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a pro
OSV
CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a pro
OSV
Glances has a Command Injection via Process Names in Action Command Templates
osv·2026-03-16
CVE-2026-32608 [HIGH] Glances has a Command Injection via Process Names in Action Command Templates
Glances has a Command Injection via Process Names in Action Command Templates
## Summary
The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. When a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who cont
GHSA
Glances has a Command Injection via Process Names in Action Command Templates
ghsa·2026-03-16
CVE-2026-32608 [HIGH] CWE-78 Glances has a Command Injection via Process Names in Action Command Templates
Glances has a Command Injection via Process Names in Action Command Templates
## Summary
The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. When a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who cont
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32608 glances: command injection via process names in action command templates [fedora-all]
bugzilla·2026-03-18·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608 glances: command injection via process names in action command templates [fedora-all]
CVE-2026-32608 glances: command injection via process names in action command templates [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32608 glances: command injection via process names in action command templates [epel-all]
bugzilla·2026-03-18·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608 glances: command injection via process names in action command templates [epel-all]
CVE-2026-32608 glances: command injection via process names in action command templates [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-32608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-32608 [HIGH] CVE-2026-32608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32608 :
Python vulnerability analysis and mitigation
{{name}}
{{key}}
secure_popen()
subprocess.Popen(shell=False)
Source : NVD
## 7
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 19, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 20
2026-03-18
Published