CVE-2026-33641

HIGH 7.8

Glances Vulnerable to Command Injection via Dynamic Configuration Values

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.

CWE	CWE-78
Vendor	nicolargo
Product	glances
Published	Apr 2, 2026
Last Updated	Apr 2, 2026

Stay Ahead of the Next One

Get instant alerts for nicolargo glances

Be the first to know when new high vulnerabilities affecting nicolargo glances are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

nicolargo / glances

< 4.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7 github.com: https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6 github.com: https://github.com/nicolargo/glances/releases/tag/v4.5.3