Description
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
Published: 2026-03-18
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection / Arbitrary Command Execution
Action: Apply Patch
AI Analysis

Impact

Glances, an open-source system monitoring tool, allows administrators to configure shell commands that run when thresholds are breached. These commands use Mustache template variables that are replaced with runtime data. Prior to version 4.5.2 the secure_popen() routine would split a command string on pipe, redirect, or chain metacharacters before invoking subprocess.Popen(shell=False). When a template value such as a process name contains these characters, the command is split in unintended ways, enabling an attacker who can control a process name or container name to inject arbitrary shell commands (CWE‑78). The impact is the ability for an attacker to execute arbitrary commands on the host system, potentially compromising confidentiality, integrity, and availability.

Affected Systems

The vulnerable product is nicolargo:Glances. All versions prior to 4.5.2 are affected. This includes the CPE cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*. Users running these earlier releases should be aware of the risk.

Risk and Exploitability

The CVSS score is 7, indicating high severity, while the EPSS score is below 1 %, suggesting exploitation is unlikely as of now. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to influence process or container names that are referenced in action command templates, which can be achieved locally or remotely if an attacker can create such names. The insecure handling of mustache-rendered values allows command splitting, providing a code execution path once the condition is met.

Generated by OpenCVE AI on March 18, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.2 or later.

Generated by OpenCVE AI on March 18, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vcv2-q258-wrg7 Glances has a Command Injection via Process Names in Action Command Templates
History

Wed, 18 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
Title Glances has a Command Injection via Process Names in Action Command Templates
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T15:39:15.123Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32608

cve-icon Vulnrichment

Updated: 2026-03-18T15:39:05.574Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T07:16:21.447

Modified: 2026-03-18T18:27:43.953

Link: CVE-2026-32608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:15Z

Weaknesses