rpm package
opensuse/python-Glances&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-Glances&distro=openSUSE%20Tumbleweed
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53925 | hig | — | < 4.5.5-1.1 | 4.5.5-1.1 | Jun 23, 2026 | ### Summary The `secure_popen()` function in `glances/secure.py` interprets `>` (file redirection), `|` (pipe), and `&&` (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command | |
| CVE-2026-46611 | med | — | < 4.5.5-1.1 | 4.5.5-1.1 | Jun 22, 2026 | ### Summary The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP | |
| CVE-2026-46608 | hig | — | < 4.5.5-1.1 | 4.5.5-1.1 | Jun 22, 2026 | ### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than o | |
| CVE-2026-46607 | hig | — | < 4.5.5-1.1 | 4.5.5-1.1 | Jun 22, 2026 | ### Summary `glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature verification, or format | |
| CVE-2026-46606 | hig | — | < 4.5.5-1.1 | 4.5.5-1.1 | Jun 22, 2026 | ### Summary The Glances KVM/QEMU monitoring engine (`glances/plugins/vms/engines/virsh.py`) passes VM domain names, read directly from `virsh list --all` output, into f-string command templates that are processed by `secure_popen()`. `secure_popen()` is explicitly designed to in | |
| CVE-2026-35588 | Med | 6.3 | < 4.5.4-1.1 | 4.5.4-1.1 | Apr 21, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements with | |
| CVE-2026-35587 | Hig | 8.8 | < 4.5.4-1.1 | 4.5.4-1.1 | Apr 21, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used direct | |
| CVE-2026-34839 | Med | 6.5 | < 4.5.4-1.1 | 4.5.4-1.1 | Apr 21, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Cont | |
| CVE-2026-33641 | Hig | 7.8 | < 4.5.3-1.1 | 4.5.3-1.1 | Apr 2, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value( | |
| CVE-2026-33533 | Med | 6.5 | < 4.5.3-1.1 | 4.5.3-1.1 | Apr 2, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Conte | |
| CVE-2026-32634 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted adverti | ||
| CVE-2026-32633 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background pollin | ||
| CVE-2026-32632 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddlew | ||
| CVE-2026-32611 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB exp | ||
| CVE-2026-32610 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together | ||
| CVE-2026-32609 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/arg | ||
| CVE-2026-32608 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that | ||
| CVE-2026-32596 | — | < 4.5.2-1.1 | 4.5.2-1.1 | Mar 18, 2026 | Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (p |
- affected < 4.5.5-1.1fixed 4.5.5-1.1
### Summary The `secure_popen()` function in `glances/secure.py` interprets `>` (file redirection), `|` (pipe), and `&&` (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command
- affected < 4.5.5-1.1fixed 4.5.5-1.1
### Summary The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP
- affected < 4.5.5-1.1fixed 4.5.5-1.1
### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than o
- affected < 4.5.5-1.1fixed 4.5.5-1.1
### Summary `glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature verification, or format
- affected < 4.5.5-1.1fixed 4.5.5-1.1
### Summary The Glances KVM/QEMU monitoring engine (`glances/plugins/vms/engines/virsh.py`) passes VM domain names, read directly from `virsh list --all` output, into f-string command templates that are processed by `secure_popen()`. `secure_popen()` is explicitly designed to in
- affected < 4.5.4-1.1fixed 4.5.4-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements with
- affected < 4.5.4-1.1fixed 4.5.4-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used direct
- affected < 4.5.4-1.1fixed 4.5.4-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Cont
- affected < 4.5.3-1.1fixed 4.5.3-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value(
- affected < 4.5.3-1.1fixed 4.5.3-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Conte
- CVE-2026-32634Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted adverti
- CVE-2026-32633Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background pollin
- CVE-2026-32632Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddlew
- CVE-2026-32611Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB exp
- CVE-2026-32610Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together
- CVE-2026-32609Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/arg
- CVE-2026-32608Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that
- CVE-2026-32596Mar 18, 2026affected < 4.5.2-1.1fixed 4.5.2-1.1
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (p