CVE-2026-46606

HIGH 7.8

Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

0th

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.

CWE	CWE-78
Vendor	nicolargo
Product	glances
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for nicolargo glances

Be the first to know when new high vulnerabilities affecting nicolargo glances are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

nicolargo / glances

< 4.5.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nicolargo/glances/security/advisories/GHSA-v5r2-qh84-fjx5 github.com: https://github.com/nicolargo/glances/releases/tag/v4.5.5