{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","type":"deb","namespace":"debian","name":"glances","version":"4.5.4+dfsg-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"4.5.5+dfsg-1","latest_non_vulnerable_version":"4.5.5+dfsg-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76984?format=json","vulnerability_id":"VCID-1zjq-8g1r-rkbb","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32634","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.048","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0478","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04804","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0479","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32634"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32634","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32634"},{"reference_url":"https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5","reference_id":"61d38eec521703e41e4933d18d5a5ef6f854abd5","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/"}],"url":"https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5"},{"reference_url":"https://github.com/advisories/GHSA-vx5f-957p-qpvm","reference_id":"GHSA-vx5f-957p-qpvm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vx5f-957p-qpvm"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm","reference_id":"GHSA-vx5f-957p-qpvm","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32634","GHSA-vx5f-957p-qpvm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1zjq-8g1r-rkbb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77829?format=json","vulnerability_id":"VCID-35gx-y6hg-qfe7","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33641","reference_id":"","reference_type":"","scores":[{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.73297","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.73386","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.73374","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00737","scoring_system":"epss","scoring_elements":"0.73389","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33641"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33641","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33641"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603","reference_id":"1132603","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603"},{"reference_url":"https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6","reference_id":"358d76a225fc21a9f95d2c4d7e46fafe64a644c6","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/"}],"url":"https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52559.py","reference_id":"CVE-2026-33641","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52559.py"},{"reference_url":"https://github.com/advisories/GHSA-qhj7-v7h7-q4c7","reference_id":"GHSA-qhj7-v7h7-q4c7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qhj7-v7h7-q4c7"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7","reference_id":"GHSA-qhj7-v7h7-q4c7","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.3","reference_id":"v4.5.3","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43351?format=json","purl":"pkg:deb/debian/glances@4.5.3.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.3.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-33641","GHSA-qhj7-v7h7-q4c7"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-35gx-y6hg-qfe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75242?format=json","vulnerability_id":"VCID-6bdp-jdhy-xygt","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34839","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10237","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10223","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10233","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10185","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34839"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34839","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34839"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645","reference_id":"1134645","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645"},{"reference_url":"https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9","reference_id":"fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:37:18Z/"}],"url":"https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9"},{"reference_url":"https://github.com/advisories/GHSA-gfc2-9qmw-w7vh","reference_id":"GHSA-gfc2-9qmw-w7vh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfc2-9qmw-w7vh"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh","reference_id":"GHSA-gfc2-9qmw-w7vh","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:37:18Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-34839","GHSA-gfc2-9qmw-w7vh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6bdp-jdhy-xygt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/197606?format=json","vulnerability_id":"VCID-7g5k-1fhm-wkb2","summary":"xml external entity injection","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23418","reference_id":"","reference_type":"","scores":[{"value":"0.00381","scoring_system":"epss","scoring_elements":"0.59946","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00381","scoring_system":"epss","scoring_elements":"0.60058","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00381","scoring_system":"epss","scoring_elements":"0.60066","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00381","scoring_system":"epss","scoring_elements":"0.60054","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23418"},{"reference_url":"https://github.com/advisories/GHSA-r2mj-8wgq-73m6","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r2mj-8wgq-73m6"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94"},{"reference_url":"https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a"},{"reference_url":"https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32"},{"reference_url":"https://github.com/nicolargo/glances/issues/1025","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/issues/1025"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/glances/PYSEC-2021-115.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/glances/PYSEC-2021-115.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23418","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23418"},{"reference_url":"https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-PYTHON-GLANCES-1311807"},{"reference_url":"https://security.archlinux.org/AVG-2242","reference_id":"AVG-2242","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2242"},{"reference_url":"https://usn.ubuntu.com/USN-5187-1/","reference_id":"USN-USN-5187-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-5187-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43345?format=json","purl":"pkg:deb/debian/glances@3.2.3.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@3.2.3.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43344?format=json","purl":"pkg:deb/debian/glances@3.3.1.1%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1zjq-8g1r-rkbb"},{"vulnerability":"VCID-35gx-y6hg-qfe7"},{"vulnerability":"VCID-6bdp-jdhy-xygt"},{"vulnerability":"VCID-7quj-ty9f-b3d9"},{"vulnerability":"VCID-drjj-2c7n-huhs"},{"vulnerability":"VCID-e92n-p49s-dyez"},{"vulnerability":"VCID-f64n-cvxz-x7du"},{"vulnerability":"VCID-fs9k-827n-rbc3"},{"vulnerability":"VCID-ghkc-afh4-jkgr"},{"vulnerability":"VCID-q9ky-1rvd-cygm"},{"vulnerability":"VCID-s51f-vm48-a3gd"},{"vulnerability":"VCID-svpw-cbx8-aqe9"},{"vulnerability":"VCID-vym9-cue3-3qc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@3.3.1.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43347?format=json","purl":"pkg:deb/debian/glances@4.3.1%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1zjq-8g1r-rkbb"},{"vulnerability":"VCID-35gx-y6hg-qfe7"},{"vulnerability":"VCID-6bdp-jdhy-xygt"},{"vulnerability":"VCID-7quj-ty9f-b3d9"},{"vulnerability":"VCID-8x7t-qctq-ufgp"},{"vulnerability":"VCID-drjj-2c7n-huhs"},{"vulnerability":"VCID-e92n-p49s-dyez"},{"vulnerability":"VCID-f64n-cvxz-x7du"},{"vulnerability":"VCID-fs9k-827n-rbc3"},{"vulnerability":"VCID-ghkc-afh4-jkgr"},{"vulnerability":"VCID-q9ky-1rvd-cygm"},{"vulnerability":"VCID-s51f-vm48-a3gd"},{"vulnerability":"VCID-svpw-cbx8-aqe9"},{"vulnerability":"VCID-vym9-cue3-3qc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.3.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2021-23418","GHSA-r2mj-8wgq-73m6","PYSEC-2021-115","SNYK-PYTHON-GLANCES-1311807"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7g5k-1fhm-wkb2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77635?format=json","vulnerability_id":"VCID-7quj-ty9f-b3d9","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32596","reference_id":"","reference_type":"","scores":[{"value":"0.04065","scoring_system":"epss","scoring_elements":"0.88797","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04065","scoring_system":"epss","scoring_elements":"0.8884","published_at":"2026-06-14T12:55:00Z"},{"value":"0.04065","scoring_system":"epss","scoring_elements":"0.88836","published_at":"2026-06-12T12:55:00Z"},{"value":"0.04065","scoring_system":"epss","scoring_elements":"0.88842","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32596"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32596","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32596"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197","reference_id":"1131197","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197"},{"reference_url":"https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25","reference_id":"208d876118fea5758970f33fd7474908bd403d25","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/"}],"url":"https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25"},{"reference_url":"https://github.com/advisories/GHSA-wvxv-4j8q-4wjq","reference_id":"GHSA-wvxv-4j8q-4wjq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wvxv-4j8q-4wjq"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq","reference_id":"GHSA-wvxv-4j8q-4wjq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32596","GHSA-wvxv-4j8q-4wjq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7quj-ty9f-b3d9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66487?format=json","vulnerability_id":"VCID-8x7t-qctq-ufgp","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30928","reference_id":"","reference_type":"","scores":[{"value":"0.0667","scoring_system":"epss","scoring_elements":"0.91468","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0667","scoring_system":"epss","scoring_elements":"0.91471","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0667","scoring_system":"epss","scoring_elements":"0.91463","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0667","scoring_system":"epss","scoring_elements":"0.91432","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30928"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130503","reference_id":"1130503","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130503"},{"reference_url":"https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da","reference_id":"306a7136154ba5c1531489c99f8306d84eae37da","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/"}],"url":"https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30928","reference_id":"CVE-2026-30928","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30928"},{"reference_url":"https://github.com/advisories/GHSA-gh4x-f7cq-wwx6","reference_id":"GHSA-gh4x-f7cq-wwx6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gh4x-f7cq-wwx6"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6","reference_id":"GHSA-gh4x-f7cq-wwx6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.1","reference_id":"v4.5.1","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43348?format=json","purl":"pkg:deb/debian/glances@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43344?format=json","purl":"pkg:deb/debian/glances@3.3.1.1%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1zjq-8g1r-rkbb"},{"vulnerability":"VCID-35gx-y6hg-qfe7"},{"vulnerability":"VCID-6bdp-jdhy-xygt"},{"vulnerability":"VCID-7quj-ty9f-b3d9"},{"vulnerability":"VCID-drjj-2c7n-huhs"},{"vulnerability":"VCID-e92n-p49s-dyez"},{"vulnerability":"VCID-f64n-cvxz-x7du"},{"vulnerability":"VCID-fs9k-827n-rbc3"},{"vulnerability":"VCID-ghkc-afh4-jkgr"},{"vulnerability":"VCID-q9ky-1rvd-cygm"},{"vulnerability":"VCID-s51f-vm48-a3gd"},{"vulnerability":"VCID-svpw-cbx8-aqe9"},{"vulnerability":"VCID-vym9-cue3-3qc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@3.3.1.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43349?format=json","purl":"pkg:deb/debian/glances@4.5.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-30928","GHSA-gh4x-f7cq-wwx6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8x7t-qctq-ufgp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77032?format=json","vulnerability_id":"VCID-drjj-2c7n-huhs","summary":"Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32611","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05016","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04995","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.0502","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.05006","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32611"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32611","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32611"},{"reference_url":"https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c","reference_id":"63b7da28895249d775202d639e5531ba63491a5c","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/"}],"url":"https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c"},{"reference_url":"https://github.com/advisories/GHSA-49g7-2ww7-3vf5","reference_id":"GHSA-49g7-2ww7-3vf5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-49g7-2ww7-3vf5"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5","reference_id":"GHSA-49g7-2ww7-3vf5","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32611","GHSA-49g7-2ww7-3vf5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-drjj-2c7n-huhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77483?format=json","vulnerability_id":"VCID-e92n-p49s-dyez","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32633","reference_id":"","reference_type":"","scores":[{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27653","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27869","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27855","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00103","scoring_system":"epss","scoring_elements":"0.27879","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32633"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32633","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32633"},{"reference_url":"https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e","reference_id":"879ef8688ffa1630839549751d3c7ef9961d361e","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/"}],"url":"https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e"},{"reference_url":"https://github.com/advisories/GHSA-r297-p3v4-wp8m","reference_id":"GHSA-r297-p3v4-wp8m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r297-p3v4-wp8m"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m","reference_id":"GHSA-r297-p3v4-wp8m","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32633","GHSA-r297-p3v4-wp8m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e92n-p49s-dyez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71697?format=json","vulnerability_id":"VCID-f64n-cvxz-x7du","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35587","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05945","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05929","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05937","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05922","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35587"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.4","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35587","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35587"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645","reference_id":"1134645","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645"},{"reference_url":"https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb","reference_id":"d6808be66728956477cc4b544bab1acd71ac65fb","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T03:56:11Z/"}],"url":"https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb"},{"reference_url":"https://github.com/advisories/GHSA-g5pq-48mj-jvw8","reference_id":"GHSA-g5pq-48mj-jvw8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g5pq-48mj-jvw8"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8","reference_id":"GHSA-g5pq-48mj-jvw8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T03:56:11Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-35587","GHSA-g5pq-48mj-jvw8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f64n-cvxz-x7du"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77570?format=json","vulnerability_id":"VCID-fs9k-827n-rbc3","summary":"Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32632","reference_id":"","reference_type":"","scores":[{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08314","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08354","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00028","scoring_system":"epss","scoring_elements":"0.08351","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32632"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32632","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32632"},{"reference_url":"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9","reference_id":"5850c564ee10804fdf884823b9c210eb954dd1f9","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/"}],"url":"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"},{"reference_url":"https://github.com/advisories/GHSA-hhcg-r27j-fhv9","reference_id":"GHSA-hhcg-r27j-fhv9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hhcg-r27j-fhv9"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9","reference_id":"GHSA-hhcg-r27j-fhv9","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32632","GHSA-hhcg-r27j-fhv9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fs9k-827n-rbc3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213318?format=json","vulnerability_id":"VCID-ghkc-afh4-jkgr","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS \"simple request\" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33533","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17565","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17723","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.1774","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17715","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33533"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://github.com/nicolargo/glances/commit/dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/commit/dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33533","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33533"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603","reference_id":"1132603","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603"},{"reference_url":"https://github.com/advisories/GHSA-7p93-6934-f4q7","reference_id":"GHSA-7p93-6934-f4q7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7p93-6934-f4q7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43351?format=json","purl":"pkg:deb/debian/glances@4.5.3.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.3.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-33533","GHSA-7p93-6934-f4q7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ghkc-afh4-jkgr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66498?format=json","vulnerability_id":"VCID-h1um-9b55-4qht","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30930","reference_id":"","reference_type":"","scores":[{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10508","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10533","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10532","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00034","scoring_system":"epss","scoring_elements":"0.10478","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-30930"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130504","reference_id":"1130504","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130504"},{"reference_url":"https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336","reference_id":"39161f0d6fd723d83f534b48f24cdca722573336","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/"}],"url":"https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30930","reference_id":"CVE-2026-30930","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-30930"},{"reference_url":"https://github.com/advisories/GHSA-x46r-mf5g-xpr6","reference_id":"GHSA-x46r-mf5g-xpr6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x46r-mf5g-xpr6"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6","reference_id":"GHSA-x46r-mf5g-xpr6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.1","reference_id":"v4.5.1","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.1"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43348?format=json","purl":"pkg:deb/debian/glances@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43344?format=json","purl":"pkg:deb/debian/glances@3.3.1.1%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1zjq-8g1r-rkbb"},{"vulnerability":"VCID-35gx-y6hg-qfe7"},{"vulnerability":"VCID-6bdp-jdhy-xygt"},{"vulnerability":"VCID-7quj-ty9f-b3d9"},{"vulnerability":"VCID-drjj-2c7n-huhs"},{"vulnerability":"VCID-e92n-p49s-dyez"},{"vulnerability":"VCID-f64n-cvxz-x7du"},{"vulnerability":"VCID-fs9k-827n-rbc3"},{"vulnerability":"VCID-ghkc-afh4-jkgr"},{"vulnerability":"VCID-q9ky-1rvd-cygm"},{"vulnerability":"VCID-s51f-vm48-a3gd"},{"vulnerability":"VCID-svpw-cbx8-aqe9"},{"vulnerability":"VCID-vym9-cue3-3qc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@3.3.1.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43347?format=json","purl":"pkg:deb/debian/glances@4.3.1%2Bdfsg-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1zjq-8g1r-rkbb"},{"vulnerability":"VCID-35gx-y6hg-qfe7"},{"vulnerability":"VCID-6bdp-jdhy-xygt"},{"vulnerability":"VCID-7quj-ty9f-b3d9"},{"vulnerability":"VCID-8x7t-qctq-ufgp"},{"vulnerability":"VCID-drjj-2c7n-huhs"},{"vulnerability":"VCID-e92n-p49s-dyez"},{"vulnerability":"VCID-f64n-cvxz-x7du"},{"vulnerability":"VCID-fs9k-827n-rbc3"},{"vulnerability":"VCID-ghkc-afh4-jkgr"},{"vulnerability":"VCID-q9ky-1rvd-cygm"},{"vulnerability":"VCID-s51f-vm48-a3gd"},{"vulnerability":"VCID-svpw-cbx8-aqe9"},{"vulnerability":"VCID-vym9-cue3-3qc8"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.3.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43349?format=json","purl":"pkg:deb/debian/glances@4.5.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-30930","GHSA-x46r-mf5g-xpr6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h1um-9b55-4qht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77074?format=json","vulnerability_id":"VCID-q9ky-1rvd-cygm","summary":"Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32608","reference_id":"","reference_type":"","scores":[{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01138","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01147","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0001","scoring_system":"epss","scoring_elements":"0.01144","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32608"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32608","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32608"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197","reference_id":"1131197","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197"},{"reference_url":"https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107","reference_id":"6f4ec53d967478e69917078e6f73f448001bf107","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/"}],"url":"https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107"},{"reference_url":"https://github.com/advisories/GHSA-vcv2-q258-wrg7","reference_id":"GHSA-vcv2-q258-wrg7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vcv2-q258-wrg7"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7","reference_id":"GHSA-vcv2-q258-wrg7","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32608","GHSA-vcv2-q258-wrg7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q9ky-1rvd-cygm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71645?format=json","vulnerability_id":"VCID-s51f-vm48-a3gd","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35588","reference_id":"","reference_type":"","scores":[{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02151","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02159","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.02154","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00013","scoring_system":"epss","scoring_elements":"0.0215","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35588"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35588","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35588"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645","reference_id":"1134645","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645"},{"reference_url":"https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160","reference_id":"d339181f03a14bb15506307e9d58f876e23d8160","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/"}],"url":"https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160"},{"reference_url":"https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c","reference_id":"e41b665576f9fd5374e3152078726cc59a01e48c","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/"}],"url":"https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c"},{"reference_url":"https://github.com/advisories/GHSA-grp3-h8m8-45p7","reference_id":"GHSA-grp3-h8m8-45p7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-grp3-h8m8-45p7"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7","reference_id":"GHSA-grp3-h8m8-45p7","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-35588","GHSA-grp3-h8m8-45p7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s51f-vm48-a3gd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77244?format=json","vulnerability_id":"VCID-svpw-cbx8-aqe9","summary":"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32610","reference_id":"","reference_type":"","scores":[{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17534","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17686","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17694","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00055","scoring_system":"epss","scoring_elements":"0.17711","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32610"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32610","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32610"},{"reference_url":"https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832","reference_id":"4465169b71d93991f1e49740fe02428291099832","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/"}],"url":"https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"},{"reference_url":"https://github.com/advisories/GHSA-9jfm-9rc6-2hfq","reference_id":"GHSA-9jfm-9rc6-2hfq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9jfm-9rc6-2hfq"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq","reference_id":"GHSA-9jfm-9rc6-2hfq","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32610","GHSA-9jfm-9rc6-2hfq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-svpw-cbx8-aqe9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/76863?format=json","vulnerability_id":"VCID-vym9-cue3-3qc8","summary":"Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32609","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23989","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24173","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24186","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24195","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-32609"},{"reference_url":"https://github.com/nicolargo/glances","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nicolargo/glances"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32609","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32609"},{"reference_url":"https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f","reference_id":"ff14eb9780ee10ec018c754754b1c8c7bfb6c44f","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/"}],"url":"https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f"},{"reference_url":"https://github.com/advisories/GHSA-cvwp-r2g2-j824","reference_id":"GHSA-cvwp-r2g2-j824","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cvwp-r2g2-j824"},{"reference_url":"https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824","reference_id":"GHSA-cvwp-r2g2-j824","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/"}],"url":"https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824"},{"reference_url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2","reference_id":"v4.5.2","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/"}],"url":"https://github.com/nicolargo/glances/releases/tag/v4.5.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/43350?format=json","purl":"pkg:deb/debian/glances@4.5.2%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.2%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/43346?format=json","purl":"pkg:deb/debian/glances@4.5.4%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1206453?format=json","purl":"pkg:deb/debian/glances@4.5.5%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.5%252Bdfsg-1%3Fdistro=trixie"}],"aliases":["CVE-2026-32609","GHSA-cvwp-r2g2-j824"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vym9-cue3-3qc8"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/glances@4.5.4%252Bdfsg-1%3Fdistro=trixie"}