Command Injection Vulnerability in Glances Monitoring Tool by Nicolas Grégoire
CVE-2026-32608

7HIGH

Key Information:

Vendor

Nicolargo

Status
Glances
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32608?

A command injection vulnerability has been discovered in the Glances monitoring tool, allowing an attacker to exploit the system by injecting arbitrary commands. This occurs when the tool processes Mustache template variables from monitored data, such as process names or container names. If these variables include particular metacharacters, it can lead to unexpected command execution. The issue is present in versions prior to 4.5.2, where the secure_popen() function does not correctly handle command input, potentially allowing unauthorized command control.

Affected Version(s)

glances < 4.5.2

References

https://github.com/nicolargo/glances/security/advisories/...
x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/6f4ec53d96747...
x_refsource_MISC
https://github.com/nicolargo/glances/releases/tag/v4.5.2
x_refsource_MISC

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.