Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Published: 2026-03-10
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Glances exposes a SQL injection flaw in its TimescaleDB export module when constructing queries via string concatenation with unsanitized monitoring data. The normalize() method only wraps values in single quotes and does not escape embedded quotes, allowing attacker‑controlled data such as process names or mount points to inject arbitrary SQL. This weakness falls under code that can lead to data manipulation or disclosure if exploited.

Affected Systems

The vulnerability affects nicolargo Glances versions prior to 4.5.1 on any platform that uses the TimescaleDB export feature. Attackers can trigger it through any monitored entity, including process names, filesystem mount points, network interface names, or container names.

Risk and Exploitability

With a CVSS score of 7.3 the vulnerability is considered high severity, yet the EPSS score is less than 1 % and the issue is not listed in the KEV catalog, indicating a very low probability of exploitation in the wild. Based on the description, it is inferred that the attacker would need to influence system monitoring data, which could be possible in environments where Glances is running with elevated privileges or where user input is reflected in monitored names. Successful exploitation would enable arbitrary SQL execution within the TimescaleDB database, potentially exposing or altering stored metrics.

Generated by OpenCVE AI on April 16, 2026 at 09:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.1 or later, which removes the injection vulnerability.
  • If an upgrade is not possible, disable the TimescaleDB export module or ensure it is not enabled for data insertion.
  • Sanitize any monitored values that could contain user‑controlled input before they reach the export module; adopt strict input validation or escaping practices.

Generated by OpenCVE AI on April 16, 2026 at 09:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x46r-mf5g-xpr6 Glances has SQL Injection via Process Names in TimescaleDB Export
History

Tue, 17 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Title Glances has SQL Injection via Process Names in TimescaleDB Export
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T03:57:17.097Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30930

cve-icon Vulnrichment

Updated: 2026-03-10T16:40:49.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:52.837

Modified: 2026-03-17T16:20:46.670

Link: CVE-2026-30930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:00:14Z

Weaknesses