cbcvebase.

Nicolargo Glances vulnerabilities

19 known vulnerabilities affecting nicolargo/glances.

Total CVEs
19
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH11MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2026-30928P2HIGHCVSS 7.5PoCfixed in 4.5.12026-03-10
CVE-2026-30928 [HIGH] CWE-200 CVE-2026-30928: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config R Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database pass
nvd
CVE-2026-32596P2HIGHCVSS 7.5PoCfixed in 4.5.22026-03-18
CVE-2026-32596 [HIGH] CWE-200 CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the
nvd
CVE-2026-33641P3HIGHCVSS 7.8PoCfixed in 4.5.32026-04-02
CVE-2026-33641 [HIGH] CWE-78 CVE-2026-33641: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances sup Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed com
nvd
CVE-2026-32633P2CRITICALCVSS 9.1fixed in 4.5.22026-03-18
CVE-2026-32633 [CRITICAL] CWE-200 CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials f
nvd
CVE-2026-35587P3HIGHCVSS 8.8fixed in 4.5.42026-04-21
CVE-2026-35587 [HIGH] CWE-918 CVE-2026-35587: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Si Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/I
nvd
CVE-2026-30930P3CRITICALCVSS 9.8fixed in 4.5.12026-03-10
CVE-2026-30930 [CRITICAL] CWE-89 CVE-2026-30930: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB exp Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-co
nvd
CVE-2026-32611P3CRITICALCVSS 9.1fixed in 4.5.22026-03-18
CVE-2026-32611 [CRITICAL] CWE-89 CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not inclu
nvd
CVE-2026-32609P3HIGHCVSS 7.5fixed in 4.5.22026-03-18
CVE-2026-32609 [HIGH] CWE-200 CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return
nvd
CVE-2026-46607P3HIGHCVSS 7.8fixed in 4.5.52026-06-25
CVE-2026-46607 [HIGH] CWE-502 CVE-2026-46607: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation i
nvd
CVE-2026-46606P3HIGHCVSS 7.8fixed in 4.5.52026-06-25
CVE-2026-46606 [HIGH] CWE-78 CVE-2026-46606: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEM Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |,
nvd
CVE-2026-53925P3HIGHCVSS 7.8v>= 4.0.8, < 4.5.52026-06-25
CVE-2026-53925 [HIGH] CWE-22 CVE-2026-53925: Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_ Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When A
nvd
CVE-2026-32610P3HIGHCVSS 8.1fixed in 4.5.22026-03-18
CVE-2026-32610 [HIGH] CWE-942 CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header va
nvd
CVE-2026-32634P3HIGHCVSS 8.1fixed in 4.5.22026-03-18
CVE-2026-32634 [HIGH] CWE-346 CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itsel
nvd
CVE-2026-32608P3HIGHCVSS 7.0fixed in 4.5.22026-03-18
CVE-2026-32608 [HIGH] CWE-78 CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool. The Glances action system allows ad Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function
nvd
CVE-2026-33533P3MEDIUMCVSS 6.5fixed in 4.5.3fixed in 4.5.52026-04-02
CVE-2026-33533 [MEDIUM] CWE-942 CVE-2026-33533: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple
nvd
CVE-2026-34839P3MEDIUMCVSS 6.5fixed in 4.5.42026-04-21
CVE-2026-34839 [MEDIUM] CWE-200 CVE-2026-34839: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitiv
nvd
CVE-2026-32632P4MEDIUMCVSS 5.9fixed in 4.5.22026-03-18
CVE-2026-32632 [MEDIUM] CWE-346 CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebindin Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI,
nvd
CVE-2026-35588P4MEDIUMCVSS 6.3fixed in 4.5.42026-04-21
CVE-2026-35588 [MEDIUM] CWE-89 CVE-2026-35588: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassand Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect
nvd
CVE-2026-46611P4MEDIUMCVSS 5.3fixed in 4.5.52026-06-25
CVE-2026-46611 [MEDIUM] CWE-346 CVE-2026-46611: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's brows
nvd
Nicolargo Glances vulnerabilities | cvebase