CVE-2026-32608

Published: Mar 18, 2026

Modified: Mar 18, 2026

PUBLISHED

CVSS v3.1

7.0

HIGH

Description

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

Vendor	Product	Versions
nicolargo	glances	affected `< 4.5.2`

Weaknesses (CWE)

CWE-78

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7

x_refsource_CONFIRM

https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107

x_refsource_MISC

https://github.com/nicolargo/glances/releases/tag/v4.5.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32608

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References