OPENSUSE-SU-2026:10415-1 - Vulnerability-Lookup

OPENSUSE-SU-2026:10415-1

Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00

Summary

glances-common-4.5.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: glances-common-4.5.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10415

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-32596

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32608

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32609

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32610

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32611

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32632

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32633

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32634

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-32596/	self
	https://www.suse.com/security/cve/CVE-2026-32608/	self
	https://www.suse.com/security/cve/CVE-2026-32609/	self
	https://www.suse.com/security/cve/CVE-2026-32610/	self
	https://www.suse.com/security/cve/CVE-2026-32611/	self
	https://www.suse.com/security/cve/CVE-2026-32632/	self
	https://www.suse.com/security/cve/CVE-2026-32633/	self
	https://www.suse.com/security/cve/CVE-2026-32634/	self
	https://www.suse.com/security/cve/CVE-2026-32596	external
	https://bugzilla.suse.com/1260321	external
	https://www.suse.com/security/cve/CVE-2026-32608	external
	https://bugzilla.suse.com/1260320	external
	https://www.suse.com/security/cve/CVE-2026-32609	external
	https://bugzilla.suse.com/1259832	external
	https://www.suse.com/security/cve/CVE-2026-32610	external
	https://bugzilla.suse.com/1259841	external
	https://www.suse.com/security/cve/CVE-2026-32611	external
	https://bugzilla.suse.com/1259840	external
	https://www.suse.com/security/cve/CVE-2026-32632	external
	https://bugzilla.suse.com/1259839	external
	https://www.suse.com/security/cve/CVE-2026-32633	external
	https://bugzilla.suse.com/1259838	external
	https://www.suse.com/security/cve/CVE-2026-32634	external
	https://bugzilla.suse.com/1259837	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "glances-common-4.5.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10415",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10415-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32596 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32596/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32608 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32608/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32609 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32609/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32610 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32610/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32611 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32611/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32632 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32632/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32633 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32633/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32634 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32634/"
      }
    ],
    "title": "glances-common-4.5.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-24T00:00:00Z",
      "generator": {
        "date": "2026-03-24T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10415-1",
      "initial_release_date": "2026-03-24T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-24T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.aarch64",
                "product": {
                  "name": "glances-common-4.5.2-1.1.aarch64",
                  "product_id": "glances-common-4.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.aarch64",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.aarch64",
                  "product_id": "python311-Glances-4.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.aarch64",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.aarch64",
                  "product_id": "python313-Glances-4.5.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "glances-common-4.5.2-1.1.ppc64le",
                  "product_id": "glances-common-4.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.ppc64le",
                  "product_id": "python311-Glances-4.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.ppc64le",
                  "product_id": "python313-Glances-4.5.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.s390x",
                "product": {
                  "name": "glances-common-4.5.2-1.1.s390x",
                  "product_id": "glances-common-4.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.s390x",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.s390x",
                  "product_id": "python311-Glances-4.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.s390x",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.s390x",
                  "product_id": "python313-Glances-4.5.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.x86_64",
                "product": {
                  "name": "glances-common-4.5.2-1.1.x86_64",
                  "product_id": "glances-common-4.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.x86_64",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.x86_64",
                  "product_id": "python311-Glances-4.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.x86_64",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.x86_64",
                  "product_id": "python313-Glances-4.5.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64"
        },
        "product_reference": "glances-common-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le"
        },
        "product_reference": "glances-common-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x"
        },
        "product_reference": "glances-common-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64"
        },
        "product_reference": "glances-common-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32596",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32596"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32596",
          "url": "https://www.suse.com/security/cve/CVE-2026-32596"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260321 for CVE-2026-32596",
          "url": "https://bugzilla.suse.com/1260321"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32596"
    },
    {
      "cve": "CVE-2026-32608",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32608"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32608",
          "url": "https://www.suse.com/security/cve/CVE-2026-32608"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260320 for CVE-2026-32608",
          "url": "https://bugzilla.suse.com/1260320"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32608"
    },
    {
      "cve": "CVE-2026-32609",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32609"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32609",
          "url": "https://www.suse.com/security/cve/CVE-2026-32609"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259832 for CVE-2026-32609",
          "url": "https://bugzilla.suse.com/1259832"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32609"
    },
    {
      "cve": "CVE-2026-32610",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32610"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32610",
          "url": "https://www.suse.com/security/cve/CVE-2026-32610"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259841 for CVE-2026-32610",
          "url": "https://bugzilla.suse.com/1259841"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32610"
    },
    {
      "cve": "CVE-2026-32611",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32611"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32611",
          "url": "https://www.suse.com/security/cve/CVE-2026-32611"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259840 for CVE-2026-32611",
          "url": "https://bugzilla.suse.com/1259840"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-32611"
    },
    {
      "cve": "CVE-2026-32632",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32632"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32632",
          "url": "https://www.suse.com/security/cve/CVE-2026-32632"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259839 for CVE-2026-32632",
          "url": "https://bugzilla.suse.com/1259839"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-32632"
    },
    {
      "cve": "CVE-2026-32633",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32633"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32633",
          "url": "https://www.suse.com/security/cve/CVE-2026-32633"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259838 for CVE-2026-32633",
          "url": "https://bugzilla.suse.com/1259838"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-32633"
    },
    {
      "cve": "CVE-2026-32634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32634",
          "url": "https://www.suse.com/security/cve/CVE-2026-32634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259837 for CVE-2026-32634",
          "url": "https://bugzilla.suse.com/1259837"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32634"
    }
  ]
}

CVE-2026-32596 (GCVE-0-2026-32596)

Vulnerability from cvelistv5 – Published: 2026-03-18 05:18 – Updated: 2026-03-18 15:45

Title

Glances exposes the REST API without authentication

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/208d8…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32596",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T15:44:55.679511Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T15:45:18.808Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T05:18:11.547Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-wvxv-4j8q-4wjq",
        "discovery": "UNKNOWN"
      },
      "title": "Glances exposes the REST API without authentication"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32596",
    "datePublished": "2026-03-18T05:18:11.547Z",
    "dateReserved": "2026-03-12T14:54:24.269Z",
    "dateUpdated": "2026-03-18T15:45:18.808Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32609 (GCVE-0-2026-32609)

Vulnerability from cvelistv5 – Published: 2026-03-18 14:30 – Updated: 2026-03-18 14:46

Title

Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials

Summary

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/ff14e…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32609",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T14:45:48.212375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T14:46:18.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T14:30:37.786Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-cvwp-r2g2-j824",
        "discovery": "UNKNOWN"
      },
      "title": "Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32609",
    "datePublished": "2026-03-18T14:30:37.786Z",
    "dateReserved": "2026-03-12T14:54:24.270Z",
    "dateUpdated": "2026-03-18T14:46:18.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32634 (GCVE-0-2026-32634)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:55 – Updated: 2026-03-18 18:36

Title

Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-346 - Origin Validation Error
CWE-522 - Insufficiently Protected Credentials

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/61d38…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32634",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T18:36:04.743026Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T18:36:07.432Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:55:30.552Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-vx5f-957p-qpvm",
        "discovery": "UNKNOWN"
      },
      "title": "Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32634",
    "datePublished": "2026-03-18T17:55:30.552Z",
    "dateReserved": "2026-03-12T15:29:36.559Z",
    "dateUpdated": "2026-03-18T18:36:07.432Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32632 (GCVE-0-2026-32632)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:47 – Updated: 2026-03-18 18:15

Title

Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Summary

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-346 - Origin Validation Error

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/5850c…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32632",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T18:15:48.491743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T18:15:59.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:47:25.929Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-hhcg-r27j-fhv9",
        "discovery": "UNKNOWN"
      },
      "title": "Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32632",
    "datePublished": "2026-03-18T17:47:25.929Z",
    "dateReserved": "2026-03-12T15:29:36.559Z",
    "dateUpdated": "2026-03-18T18:15:59.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32633 (GCVE-0-2026-32633)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:53 – Updated: 2026-03-18 18:35

Title

Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-522 - Insufficiently Protected Credentials

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/879ef…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32633",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T18:35:24.415863Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T18:35:27.562Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522: Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:53:11.263Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-r297-p3v4-wp8m",
        "discovery": "UNKNOWN"
      },
      "title": "Glances\u0027s Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32633",
    "datePublished": "2026-03-18T17:53:11.263Z",
    "dateReserved": "2026-03-12T15:29:36.559Z",
    "dateUpdated": "2026-03-18T18:35:27.562Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32610 (GCVE-0-2026-32610)

Vulnerability from cvelistv5 – Published: 2026-03-18 16:31 – Updated: 2026-03-18 16:59

Title

Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-942 - Permissive Cross-domain Policy with Untrusted Domains

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/44651…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32610",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T16:59:20.865855Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T16:59:40.327Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-942",
              "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T16:31:12.154Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-9jfm-9rc6-2hfq",
        "discovery": "UNKNOWN"
      },
      "title": "Glances\u0027s Default CORS Configuration Allows Cross-Origin Credential Theft"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32610",
    "datePublished": "2026-03-18T16:31:12.154Z",
    "dateReserved": "2026-03-12T14:54:24.270Z",
    "dateUpdated": "2026-03-18T16:59:40.327Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32608 (GCVE-0-2026-32608)

Vulnerability from cvelistv5 – Published: 2026-03-18 06:03 – Updated: 2026-03-18 15:39

Title

Glances has a Command Injection via Process Names in Action Command Templates

Summary

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/6f4ec…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32608",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T15:38:16.679632Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T15:39:15.123Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T06:03:22.153Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-vcv2-q258-wrg7",
        "discovery": "UNKNOWN"
      },
      "title": "Glances has a Command Injection via Process Names in Action Command Templates"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32608",
    "datePublished": "2026-03-18T06:03:22.153Z",
    "dateReserved": "2026-03-12T14:54:24.270Z",
    "dateUpdated": "2026-03-18T15:39:15.123Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-32611 (GCVE-0-2026-32611)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:21 – Updated: 2026-03-18 18:51

Title

Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements

Summary

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.

Severity ?

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/63b7d…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32611",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T18:50:55.560409Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T18:51:23.479Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:21:18.668Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-49g7-2ww7-3vf5",
        "discovery": "UNKNOWN"
      },
      "title": "Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32611",
    "datePublished": "2026-03-18T17:21:18.668Z",
    "dateReserved": "2026-03-12T14:54:24.270Z",
    "dateUpdated": "2026-03-18T18:51:23.479Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.