CVE-2026-46606
published 2026-06-25CVE-2026-46606: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py)…
PriorityP348high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.21%
11.6th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glances_project | glances | >= 0 < 4.5.5 | 4.5.5 |
| nicolargo | glances | < 4.5.5 | 4.5.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
nicolargo glances up to 4.5.4 virsh.py secure_popen os command injection (GHSA-v5r2-qh84-fjx5)
vuldb·2026-06-26·CVSS 7.8
CVE-2026-46606 [HIGH] nicolargo glances up to 4.5.4 virsh.py secure_popen os command injection (GHSA-v5r2-qh84-fjx5)
A vulnerability classified as critical was found in nicolargo glances up to 4.5.4. The impacted element is the function secure_popen of the file glances/plugins/vms/engines/virsh.py. Executing a manipulation can lead to os command injection.
This vulnerability is handled as CVE-2026-46606. It is possible to launch the attack on the local host. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
ghsa·2026-06-22
CVE-2026-46606 [HIGH] CWE-78 Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
### Summary
The Glances KVM/QEMU monitoring engine (`glances/plugins/vms/engines/virsh.py`) passes VM domain names, read directly from `virsh list --all` output, into f-string command templates that are processed by `secure_popen()`. `secure_popen()` is explicitly designed to interpret `&&`, `|`, and `>` as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts.
---
### Details
**Affected file:** `glances/plugins/vms/engines/virsh.py`
**Direct URLs (commit 04579778e733d705898a169e0
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [epel-all]
bugzilla·2026-06-29·CVSS 7.8
CVE-2026-46606 [HIGH] CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [epel-all]
CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation,
Bugzilla
CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [fedora-all]
bugzilla·2026-06-29·CVSS 7.8
CVE-2026-46606 [HIGH] CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [fedora-all]
CVE-2026-46606 rtklib: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation
Bugzilla
CVE-2026-46606 glances: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
bugzilla·2026-06-25·CVSS 7.8
CVE-2026-46606 [HIGH] CVE-2026-46606 glances: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
CVE-2026-46606 glances: Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.
2026-06-25
Published