SQL Injection Vulnerability in Glances DuckDB Export Module
CVE-2026-32611

7HIGH

Key Information:

Vendor

Nicolargo

Status
Glances
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32611?

The Glances monitoring tool has a vulnerability in its DuckDB export module where SQL operations interpolate table and column names directly into statements, risking SQL injection. This issue arises from the lack of parameterization in DDL construction. Although INSERT values use parameterized queries, the direct embedding of identifiers from monitoring statistics poses a security threat. The issue has been partially addressed in version 4.5.3, which aims to enhance data protection through improved query handling.

Affected Version(s)

glances < 4.5.2

References

https://github.com/nicolargo/glances/security/advisories/...
x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/63b7da2889524...
x_refsource_MISC
https://github.com/nicolargo/glances/releases/tag/v4.5.2
x_refsource_MISC

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.