CVE-2026-32611

HIGH 7.0

Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements

CVSS Score

7.0

EPSS Score

0.0%

EPSS Percentile

0th

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.

CWE	CWE-89
Vendor	nicolargo
Product	glances
Published	Mar 18, 2026
Last Updated	Mar 18, 2026

Stay Ahead of the Next One

Get instant alerts for nicolargo glances

Be the first to know when new high vulnerabilities affecting nicolargo glances are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

Affected Versions

nicolargo / glances

< 4.5.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5 github.com: https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c github.com: https://github.com/nicolargo/glances/releases/tag/v4.5.2