CVE-2026-32611

Published: Mar 18, 2026

Modified: Mar 18, 2026

PUBLISHED

CVSS v3.1

7.0

HIGH

Description

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.

Vendor	Product	Versions
nicolargo	glances	affected `< 4.5.2`

Weaknesses (CWE)

CWE-89

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

Low

References

https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5

x_refsource_CONFIRM

https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c

x_refsource_MISC

https://github.com/nicolargo/glances/releases/tag/v4.5.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32611

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References