CVE-2026-32611
published 2026-03-18CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by…
PriorityP353critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.33%
24.3th percentile
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 9.1
CVE-2026-32611 [CRITICAL] CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
GHSA
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
ghsa·2026-03-16
CVE-2026-32611 [HIGH] CWE-89 Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
## Summary
The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names.
## Details
The DuckDB export module constructs SQL DDL s
OSV
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
osv·2026-03-16
CVE-2026-32611 [HIGH] Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
## Summary
The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names.
## Details
The DuckDB export module constructs SQL DDL s
Debian
CVE-2026-32611: glances - Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r f...
vendor_debian·2026·CVSS 7.0
CVE-2026-32611 [HIGH] CVE-2026-32611: glances - Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r f...
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
Scope: local
bookworm: open
forky: resolve
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [fedora-all]
bugzilla·2026-03-18·CVSS 9.1
CVE-2026-32611 [CRITICAL] CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [fedora-all]
CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [epel-all]
bugzilla·2026-03-18·CVSS 9.1
CVE-2026-32611 [CRITICAL] CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [epel-all]
CVE-2026-32611 glances: SQL injection in DuckDB export via unparameterized DDL statements [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-32611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-32611 [HIGH] CVE-2026-32611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32611 :
Python vulnerability analysis and mitigation
psycopg.sql
glances/exports/glances_duckdb/__init__.py
?
Source : NVD
## 9.1
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 7.0
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 19, 2026
Echo Severity CRITICAL No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 20, 2026
Nix Severity CRITICA
2026-03-18
Published