Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/glances@4.0.8
Typepypi
Namespace
Nameglances
Version4.0.8
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.5.4
Latest_non_vulnerable_version4.5.4
Affected_by_vulnerabilities
0
url VCID-1nb8-b6q2-9fam
vulnerability_id VCID-1nb8-b6q2-9fam
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32633
reference_id
reference_type
scores
0
value 0.00103
scoring_system epss
scoring_elements 0.27704
published_at 2026-06-06T12:55:00Z
1
value 0.00103
scoring_system epss
scoring_elements 0.27625
published_at 2026-06-09T12:55:00Z
2
value 0.00103
scoring_system epss
scoring_elements 0.27618
published_at 2026-06-08T12:55:00Z
3
value 0.00103
scoring_system epss
scoring_elements 0.27667
published_at 2026-06-07T12:55:00Z
4
value 0.00103
scoring_system epss
scoring_elements 0.27756
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32633
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/
url https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:35:24Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32633
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32633
6
reference_url https://github.com/advisories/GHSA-r297-p3v4-wp8m
reference_id GHSA-r297-p3v4-wp8m
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r297-p3v4-wp8m
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32633, GHSA-r297-p3v4-wp8m
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1nb8-b6q2-9fam
1
url VCID-5zc6-z1te-puch
vulnerability_id VCID-5zc6-z1te-puch
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33533
reference_id
reference_type
scores
0
value 0.00048
scoring_system epss
scoring_elements 0.15129
published_at 2026-06-08T12:55:00Z
1
value 0.00048
scoring_system epss
scoring_elements 0.15264
published_at 2026-06-05T12:55:00Z
2
value 0.00048
scoring_system epss
scoring_elements 0.15212
published_at 2026-06-07T12:55:00Z
3
value 0.00048
scoring_system epss
scoring_elements 0.15254
published_at 2026-06-06T12:55:00Z
4
value 0.00055
scoring_system epss
scoring_elements 0.1748
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33533
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances/commit/dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.3
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances/releases/tag/v4.5.3
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33533
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33533
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603
reference_id 1132603
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603
7
reference_url https://github.com/advisories/GHSA-7p93-6934-f4q7
reference_id GHSA-7p93-6934-f4q7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7p93-6934-f4q7
fixed_packages
0
url pkg:pypi/glances@4.5.3
purl pkg:pypi/glances@4.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwr1-wtxu-67f6
1
vulnerability VCID-d4m1-p4fn-ukcm
2
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.3
aliases CVE-2026-33533, GHSA-7p93-6934-f4q7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5zc6-z1te-puch
2
url VCID-6hzp-1v1a-h3b6
vulnerability_id VCID-6hzp-1v1a-h3b6
summary 
Glances Exposes Unauthenticated Configuration Secrets
The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-30928
reference_id
reference_type
scores
0
value 0.0667
scoring_system epss
scoring_elements 0.91397
published_at 2026-06-08T12:55:00Z
1
value 0.0667
scoring_system epss
scoring_elements 0.91411
published_at 2026-06-09T12:55:00Z
2
value 0.0667
scoring_system epss
scoring_elements 0.91405
published_at 2026-06-06T12:55:00Z
3
value 0.0667
scoring_system epss
scoring_elements 0.91403
published_at 2026-06-05T12:55:00Z
4
value 0.0667
scoring_system epss
scoring_elements 0.91401
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-30928
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/
url https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.1
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.1
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130503
reference_id 1130503
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130503
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30928
reference_id CVE-2026-30928
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30928
6
reference_url https://github.com/advisories/GHSA-gh4x-f7cq-wwx6
reference_id GHSA-gh4x-f7cq-wwx6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gh4x-f7cq-wwx6
7
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6
reference_id GHSA-gh4x-f7cq-wwx6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-10T16:39:47Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6
fixed_packages
0
url pkg:pypi/glances@4.5.1
purl pkg:pypi/glances@4.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nb8-b6q2-9fam
1
vulnerability VCID-5zc6-z1te-puch
2
vulnerability VCID-bwr1-wtxu-67f6
3
vulnerability VCID-d4m1-p4fn-ukcm
4
vulnerability VCID-ec6s-fczk-cqhd
5
vulnerability VCID-fnxj-vv7d-e3h1
6
vulnerability VCID-fzeh-mjyz-8kgf
7
vulnerability VCID-hcb9-5g88-b7bg
8
vulnerability VCID-kfz6-qgzc-zqfb
9
vulnerability VCID-nvst-rc4c-9bbd
10
vulnerability VCID-q9nh-md4f-4yam
11
vulnerability VCID-rsy2-mvb1-mufb
12
vulnerability VCID-tpyw-sbjd-3qgy
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.1
aliases CVE-2026-30928, GHSA-gh4x-f7cq-wwx6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6hzp-1v1a-h3b6
3
url VCID-bwr1-wtxu-67f6
vulnerability_id VCID-bwr1-wtxu-67f6
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-34839
reference_id
reference_type
scores
0
value 0.00033
scoring_system epss
scoring_elements 0.1016
published_at 2026-06-07T12:55:00Z
1
value 0.00033
scoring_system epss
scoring_elements 0.10107
published_at 2026-06-09T12:55:00Z
2
value 0.00033
scoring_system epss
scoring_elements 0.10073
published_at 2026-06-08T12:55:00Z
3
value 0.00033
scoring_system epss
scoring_elements 0.10192
published_at 2026-06-06T12:55:00Z
4
value 0.00033
scoring_system epss
scoring_elements 0.10173
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-34839
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:37:18Z/
url https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9
3
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
3
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:37:18Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-34839
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
1
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-34839
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
reference_id 1134645
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
6
reference_url https://github.com/advisories/GHSA-gfc2-9qmw-w7vh
reference_id GHSA-gfc2-9qmw-w7vh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gfc2-9qmw-w7vh
fixed_packages
0
url pkg:pypi/glances@4.5.4
purl pkg:pypi/glances@4.5.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.4
aliases CVE-2026-34839, GHSA-gfc2-9qmw-w7vh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bwr1-wtxu-67f6
4
url VCID-d4m1-p4fn-ukcm
vulnerability_id VCID-d4m1-p4fn-ukcm
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-35588
reference_id
reference_type
scores
0
value 0.00013
scoring_system epss
scoring_elements 0.02193
published_at 2026-06-06T12:55:00Z
1
value 0.00013
scoring_system epss
scoring_elements 0.02149
published_at 2026-06-09T12:55:00Z
2
value 0.00013
scoring_system epss
scoring_elements 0.0216
published_at 2026-06-08T12:55:00Z
3
value 0.00013
scoring_system epss
scoring_elements 0.02174
published_at 2026-06-07T12:55:00Z
4
value 0.00013
scoring_system epss
scoring_elements 0.02187
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-35588
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/
url https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160
3
reference_url https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/
url https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-21T13:35:00Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-35588
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-35588
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
reference_id 1134645
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
7
reference_url https://github.com/advisories/GHSA-grp3-h8m8-45p7
reference_id GHSA-grp3-h8m8-45p7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-grp3-h8m8-45p7
fixed_packages
0
url pkg:pypi/glances@4.5.4
purl pkg:pypi/glances@4.5.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.4
aliases CVE-2026-35588, GHSA-grp3-h8m8-45p7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d4m1-p4fn-ukcm
5
url VCID-ec6s-fczk-cqhd
vulnerability_id VCID-ec6s-fczk-cqhd
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32610
reference_id
reference_type
scores
0
value 0.00055
scoring_system epss
scoring_elements 0.17512
published_at 2026-06-07T12:55:00Z
1
value 0.00055
scoring_system epss
scoring_elements 0.17449
published_at 2026-06-09T12:55:00Z
2
value 0.00055
scoring_system epss
scoring_elements 0.17432
published_at 2026-06-08T12:55:00Z
3
value 0.00055
scoring_system epss
scoring_elements 0.17551
published_at 2026-06-06T12:55:00Z
4
value 0.00055
scoring_system epss
scoring_elements 0.17556
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32610
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/
url https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T16:59:20Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32610
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32610
6
reference_url https://github.com/advisories/GHSA-9jfm-9rc6-2hfq
reference_id GHSA-9jfm-9rc6-2hfq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9jfm-9rc6-2hfq
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32610, GHSA-9jfm-9rc6-2hfq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ec6s-fczk-cqhd
6
url VCID-fnxj-vv7d-e3h1
vulnerability_id VCID-fnxj-vv7d-e3h1
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-33641
reference_id
reference_type
scores
0
value 0.00635
scoring_system epss
scoring_elements 0.7083
published_at 2026-06-07T12:55:00Z
1
value 0.00635
scoring_system epss
scoring_elements 0.70817
published_at 2026-06-08T12:55:00Z
2
value 0.00635
scoring_system epss
scoring_elements 0.70848
published_at 2026-06-06T12:55:00Z
3
value 0.00635
scoring_system epss
scoring_elements 0.70841
published_at 2026-06-05T12:55:00Z
4
value 0.00737
scoring_system epss
scoring_elements 0.73248
published_at 2026-06-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-33641
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/
url https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.3
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.3
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:09:58Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-33641
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-33641
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603
reference_id 1132603
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132603
7
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52559.py
reference_id CVE-2026-33641
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52559.py
8
reference_url https://github.com/advisories/GHSA-qhj7-v7h7-q4c7
reference_id GHSA-qhj7-v7h7-q4c7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-qhj7-v7h7-q4c7
fixed_packages
0
url pkg:pypi/glances@4.5.3
purl pkg:pypi/glances@4.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bwr1-wtxu-67f6
1
vulnerability VCID-d4m1-p4fn-ukcm
2
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.3
aliases CVE-2026-33641, GHSA-qhj7-v7h7-q4c7
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fnxj-vv7d-e3h1
7
url VCID-fzeh-mjyz-8kgf
vulnerability_id VCID-fzeh-mjyz-8kgf
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-35587
reference_id
reference_type
scores
0
value 0.0002
scoring_system epss
scoring_elements 0.05905
published_at 2026-06-05T12:55:00Z
1
value 0.0002
scoring_system epss
scoring_elements 0.05877
published_at 2026-06-09T12:55:00Z
2
value 0.0002
scoring_system epss
scoring_elements 0.05853
published_at 2026-06-08T12:55:00Z
3
value 0.0002
scoring_system epss
scoring_elements 0.05898
published_at 2026-06-07T12:55:00Z
4
value 0.0002
scoring_system epss
scoring_elements 0.05896
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-35587
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T03:56:11Z/
url https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.4
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances/releases/tag/v4.5.4
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-22T03:56:11Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-35587
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-35587
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
reference_id 1134645
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134645
7
reference_url https://github.com/advisories/GHSA-g5pq-48mj-jvw8
reference_id GHSA-g5pq-48mj-jvw8
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g5pq-48mj-jvw8
fixed_packages
0
url pkg:pypi/glances@4.5.4
purl pkg:pypi/glances@4.5.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.4
aliases CVE-2026-35587, GHSA-g5pq-48mj-jvw8
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fzeh-mjyz-8kgf
8
url VCID-hcb9-5g88-b7bg
vulnerability_id VCID-hcb9-5g88-b7bg
summary Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32596
reference_id
reference_type
scores
0
value 0.04747
scoring_system epss
scoring_elements 0.89646
published_at 2026-06-09T12:55:00Z
1
value 0.04747
scoring_system epss
scoring_elements 0.89629
published_at 2026-06-07T12:55:00Z
2
value 0.04747
scoring_system epss
scoring_elements 0.8963
published_at 2026-06-06T12:55:00Z
3
value 0.04747
scoring_system epss
scoring_elements 0.89631
published_at 2026-06-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32596
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/
url https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T15:44:55Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32596
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32596
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197
reference_id 1131197
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197
7
reference_url https://github.com/advisories/GHSA-wvxv-4j8q-4wjq
reference_id GHSA-wvxv-4j8q-4wjq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wvxv-4j8q-4wjq
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32596, GHSA-wvxv-4j8q-4wjq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hcb9-5g88-b7bg
9
url VCID-kfz6-qgzc-zqfb
vulnerability_id VCID-kfz6-qgzc-zqfb
summary Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32632
reference_id
reference_type
scores
0
value 0.00028
scoring_system epss
scoring_elements 0.08302
published_at 2026-06-07T12:55:00Z
1
value 0.00028
scoring_system epss
scoring_elements 0.08269
published_at 2026-06-09T12:55:00Z
2
value 0.00028
scoring_system epss
scoring_elements 0.0825
published_at 2026-06-08T12:55:00Z
3
value 0.00028
scoring_system epss
scoring_elements 0.08321
published_at 2026-06-06T12:55:00Z
4
value 0.00028
scoring_system epss
scoring_elements 0.08313
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32632
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/
url https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:15:48Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32632
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32632
6
reference_url https://github.com/advisories/GHSA-hhcg-r27j-fhv9
reference_id GHSA-hhcg-r27j-fhv9
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hhcg-r27j-fhv9
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32632, GHSA-hhcg-r27j-fhv9
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kfz6-qgzc-zqfb
10
url VCID-nvst-rc4c-9bbd
vulnerability_id VCID-nvst-rc4c-9bbd
summary Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32634
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04776
published_at 2026-06-07T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04765
published_at 2026-06-09T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04737
published_at 2026-06-08T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04788
published_at 2026-06-06T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04798
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32634
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/
url https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-18T18:36:04Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32634
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32634
6
reference_url https://github.com/advisories/GHSA-vx5f-957p-qpvm
reference_id GHSA-vx5f-957p-qpvm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vx5f-957p-qpvm
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32634, GHSA-vx5f-957p-qpvm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nvst-rc4c-9bbd
11
url VCID-q9nh-md4f-4yam
vulnerability_id VCID-q9nh-md4f-4yam
summary Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32609
reference_id
reference_type
scores
0
value 0.00082
scoring_system epss
scoring_elements 0.24024
published_at 2026-06-07T12:55:00Z
1
value 0.00082
scoring_system epss
scoring_elements 0.23972
published_at 2026-06-09T12:55:00Z
2
value 0.00082
scoring_system epss
scoring_elements 0.23966
published_at 2026-06-08T12:55:00Z
3
value 0.00082
scoring_system epss
scoring_elements 0.24078
published_at 2026-06-06T12:55:00Z
4
value 0.00082
scoring_system epss
scoring_elements 0.24095
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32609
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/
url https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:45:48Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32609
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32609
6
reference_url https://github.com/advisories/GHSA-cvwp-r2g2-j824
reference_id GHSA-cvwp-r2g2-j824
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cvwp-r2g2-j824
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32609, GHSA-cvwp-r2g2-j824
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q9nh-md4f-4yam
12
url VCID-qkj9-34bp-zufk
vulnerability_id VCID-qkj9-34bp-zufk
summary 
Glances has SQL Injection via Process Names in TimescaleDB Export
The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-30930
reference_id
reference_type
scores
0
value 0.00034
scoring_system epss
scoring_elements 0.1046
published_at 2026-06-07T12:55:00Z
1
value 0.00034
scoring_system epss
scoring_elements 0.10399
published_at 2026-06-09T12:55:00Z
2
value 0.00034
scoring_system epss
scoring_elements 0.10375
published_at 2026-06-08T12:55:00Z
3
value 0.00034
scoring_system epss
scoring_elements 0.10499
published_at 2026-06-06T12:55:00Z
4
value 0.00034
scoring_system epss
scoring_elements 0.1048
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-30930
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/
url https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.1
reference_id
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.1
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130504
reference_id 1130504
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1130504
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-30930
reference_id CVE-2026-30930
reference_type
scores
0
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-30930
6
reference_url https://github.com/advisories/GHSA-x46r-mf5g-xpr6
reference_id GHSA-x46r-mf5g-xpr6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x46r-mf5g-xpr6
7
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
reference_id GHSA-x46r-mf5g-xpr6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 7.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-10T16:40:20Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
fixed_packages
0
url pkg:pypi/glances@4.5.1
purl pkg:pypi/glances@4.5.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1nb8-b6q2-9fam
1
vulnerability VCID-5zc6-z1te-puch
2
vulnerability VCID-bwr1-wtxu-67f6
3
vulnerability VCID-d4m1-p4fn-ukcm
4
vulnerability VCID-ec6s-fczk-cqhd
5
vulnerability VCID-fnxj-vv7d-e3h1
6
vulnerability VCID-fzeh-mjyz-8kgf
7
vulnerability VCID-hcb9-5g88-b7bg
8
vulnerability VCID-kfz6-qgzc-zqfb
9
vulnerability VCID-nvst-rc4c-9bbd
10
vulnerability VCID-q9nh-md4f-4yam
11
vulnerability VCID-rsy2-mvb1-mufb
12
vulnerability VCID-tpyw-sbjd-3qgy
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.1
aliases CVE-2026-30930, GHSA-x46r-mf5g-xpr6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qkj9-34bp-zufk
13
url VCID-rsy2-mvb1-mufb
vulnerability_id VCID-rsy2-mvb1-mufb
summary Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32611
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04975
published_at 2026-06-07T12:55:00Z
1
value 0.00018
scoring_system epss
scoring_elements 0.04974
published_at 2026-06-09T12:55:00Z
2
value 0.00018
scoring_system epss
scoring_elements 0.04937
published_at 2026-06-08T12:55:00Z
3
value 0.00018
scoring_system epss
scoring_elements 0.04983
published_at 2026-06-06T12:55:00Z
4
value 0.00018
scoring_system epss
scoring_elements 0.04997
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32611
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/
url https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-18T18:50:55Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32611
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32611
6
reference_url https://github.com/advisories/GHSA-49g7-2ww7-3vf5
reference_id GHSA-49g7-2ww7-3vf5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-49g7-2ww7-3vf5
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32611, GHSA-49g7-2ww7-3vf5
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rsy2-mvb1-mufb
14
url VCID-tpyw-sbjd-3qgy
vulnerability_id VCID-tpyw-sbjd-3qgy
summary Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-32608
reference_id
reference_type
scores
0
value 0.0001
scoring_system epss
scoring_elements 0.01138
published_at 2026-06-09T12:55:00Z
1
value 0.0001
scoring_system epss
scoring_elements 0.01136
published_at 2026-06-08T12:55:00Z
2
value 0.0001
scoring_system epss
scoring_elements 0.01141
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-32608
1
reference_url https://github.com/nicolargo/glances
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/nicolargo/glances
2
reference_url https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/
url https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107
3
reference_url https://github.com/nicolargo/glances/releases/tag/v4.5.2
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/
url https://github.com/nicolargo/glances/releases/tag/v4.5.2
4
reference_url https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-18T15:38:16Z/
url https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-32608
reference_id
reference_type
scores
0
value 7.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-32608
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197
reference_id 1131197
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131197
7
reference_url https://github.com/advisories/GHSA-vcv2-q258-wrg7
reference_id GHSA-vcv2-q258-wrg7
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-vcv2-q258-wrg7
fixed_packages
0
url pkg:pypi/glances@4.5.2
purl pkg:pypi/glances@4.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5zc6-z1te-puch
1
vulnerability VCID-bwr1-wtxu-67f6
2
vulnerability VCID-d4m1-p4fn-ukcm
3
vulnerability VCID-fnxj-vv7d-e3h1
4
vulnerability VCID-fzeh-mjyz-8kgf
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.5.2
aliases CVE-2026-32608, GHSA-vcv2-q258-wrg7
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpyw-sbjd-3qgy
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/glances@4.0.8