cbcvebase.

Glances Project Glances vulnerabilities

21 known vulnerabilities affecting glances_project/glances.

Total CVEs
21
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH15MEDIUM4

Vulnerabilities

Page 1 of 2
CVE-2026-30928P2HIGHCVSS 8.7PoC≥ 0, < 4.5.12026-03-09
CVE-2026-30928 [HIGH] CWE-200 Glances Exposes Unauthenticated Configuration Secrets Glances Exposes Unauthenticated Configuration Secrets ### Summary The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. ### Details Root
ghsaosv
CVE-2026-32596P2HIGHCVSS 8.7PoC≥ 0, < 4.5.22026-03-16
CVE-2026-32596 [HIGH] CWE-200 Glances exposes the REST API without authentication Glances exposes the REST API without authentication ### Summary Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. ### Details Root Cause: Authentication is optional and disabled by default. When no password is provid
ghsaosv
CVE-2026-33641P3HIGHCVSS 7.8PoC≥ 0, ≤ 4.5.22026-03-30
CVE-2026-33641 [HIGH] CWE-78 Glances Vulnerable to Command Injection via Dynamic Configuration Values Glances Vulnerable to Command Injection via Dynamic Configuration Values ## Summary Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence c
ghsaosv
CVE-2026-32633P2CRITICALCVSS 9.1≥ 0, < 4.5.22026-03-16
CVE-2026-32633 [CRITICAL] CWE-200 Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` ## Summary In Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glan
ghsaosv
CVE-2026-30930P3HIGHCVSS 8.6≥ 0, < 4.5.12026-03-09
CVE-2026-30930 [HIGH] CWE-89 Glances has SQL Injection via Process Names in TimescaleDB Export Glances has SQL Injection via Process Names in TimescaleDB Export ### Summary The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount po
ghsaosv
CVE-2026-35587P3HIGH≥ 0, < 4.5.42026-04-21
CVE-2026-35587 [HIGH] CWE-918 Glances has SSRF in IP Plugin via public_api leading to credential leakage Glances has SSRF in IP Plugin via public_api leading to credential leakage ### Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify t
ghsa
CVE-2026-32611P3HIGHCVSS 9.1≥ 0, < 4.5.22026-03-16
CVE-2026-32611 [HIGH] CWE-89 Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements ## Summary The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this
ghsaosv
CVE-2026-32609P3HIGHCVSS 7.5≥ 0, < 4.5.22026-03-16
CVE-2026-32609 [HIGH] CWE-200 Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials ## Summary The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not add
ghsaosv
CVE-2021-23418P3CRITICALCVSS 9.8fixed in 3.2.1≥ unspecified, < 3.2.12021-07-29
CVE-2021-23418 [CRITICAL] CWE-611 CVE-2021-23418: The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use o The package glances before 3.2.1 are vulnerable to XML External Entity (XXE) Injection via the use of Fault to parse untrusted XML data, which is known to be vulnerable to XML attacks.
ghsanvdosv
CVE-2026-53925P3HIGHCVSS 7.8≥ 4.0.8, < 4.5.52026-06-23
CVE-2026-53925 [HIGH] CWE-22 Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration ### Summary The `secure_popen()` function in `glances/secure.py` interprets `>` (file redirection), `|` (pipe), and `&&` (command chaining) operators in command strings. These operators are app
ghsa
CVE-2026-32610P3HIGHCVSS 8.1≥ 0, < 4.5.22026-03-16
CVE-2026-32610 [HIGH] CWE-942 Glances's Default CORS Configuration Allows Cross-Origin Credential Theft Glances's Default CORS Configuration Allows Cross-Origin Credential Theft ## Summary The Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` resp
ghsaosv
CVE-2026-32634P3HIGHCVSS 8.1≥ 0, < 4.5.22026-03-16
CVE-2026-32634 [HIGH] CWE-346 Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers ## Summary In Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as p
ghsaosv
CVE-2026-46607P3HIGH≥ 0, < 4.5.52026-06-22
CVE-2026-46607 [HIGH] CWE-502 Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution Glances has Insecure Pickle Deserialization in its Version Cache that Leads to Arbitrary Code Execution ### Summary `glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature veri
ghsa
CVE-2026-46606P3HIGH≥ 0, < 4.5.52026-06-22
CVE-2026-46606 [HIGH] CWE-78 Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py ### Summary The Glances KVM/QEMU monitoring engine (`glances/plugins/vms/engines/virsh.py`) passes VM domain names, read directly from `virsh list --all` output, into f-string command templates that are processed by `secure_popen()`. `secure_pop
ghsa
CVE-2026-46608P3MEDIUMCVSS 6.5≥ 0, < 4.5.52026-06-22
CVE-2026-46608 [MEDIUM] CWE-183 Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) ### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *
ghsa
CVE-2026-33533P3HIGHCVSS 8.1≥ 0, ≤ 4.5.12026-03-30
CVE-2026-33533 [HIGH] CWE-942 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard ### Summary The Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simp
ghsaosv
CVE-2026-32608P3HIGHCVSS 7.0≥ 0, < 4.5.22026-03-16
CVE-2026-32608 [HIGH] CWE-78 Glances has a Command Injection via Process Names in Action Command Templates Glances has a Command Injection via Process Names in Action Command Templates ## Summary The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which execu
ghsaosv
CVE-2026-34839P3HIGH≥ 0, < 4.5.42026-04-21
CVE-2026-34839 [HIGH] CWE-200 Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS ### Summary The Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious websit
ghsa
CVE-2026-32632P4MEDIUMCVSS 5.9≥ 0, < 4.5.22026-03-16
CVE-2026-32632 [MEDIUM] CWE-346 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding ## Summary Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reach
ghsaosv
CVE-2026-35588P4MEDIUM≥ 0, < 4.5.42026-04-21
CVE-2026-35588 [MEDIUM] CWE-89 Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values ## Summary The Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data
ghsa
Glances Project Glances vulnerabilities | cvebase