cbcvebase.
CVE-2026-32634
published 2026-03-18

CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised…

PriorityP346high8.1CVSS 3.1
AVAACLPRNUINSUCHIHAN
EPSS
0.28%
19.9th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianglances< glances 4.5.2+dfsg-1 (forky)glances 4.5.2+dfsg-1 (forky)
glances_projectglances>= 0 < 4.5.2+dfsg-14.5.2+dfsg-1
glances_projectglances>= 0 < 4.5.24.5.2
nicolargoglances< 4.5.24.5.2

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.