Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
Published: 2026-03-18
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection via DuckDB Export
Action: Update
AI Analysis

Impact

Glances, an open‑source system monitoring tool, has a flaw in the DuckDB export module where table and column names are interpolated directly into DDL statements using f‑strings. This unparameterized identifier insertion allows an attacker who can influence monitoring statistics or trigger the export to inject arbitrary SQL. The vulnerability is classified as CVE‑2026‑32611 and is a classic SQL injection (CWE‑89) that can compromise data integrity and confidentiality by allowing malicious DDL operations.

Affected Systems

The affected product is Glances from the vendor 'nicolargo' (CPE: cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*).* All releases prior to version 4.5.3 are vulnerable, including the 4.5.2 release referenced in the advisory. The vulnerability exists in the DuckDB export module located at glances/exports/glances_duckdb/__init__.py.

Risk and Exploitability

The CVSS score is 7, indicating high severity. The EPSS score is reported as less than 1%, suggesting that exploitation is relatively uncommon. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Attackers would need local or otherwise privileged access to execute the vulnerable export function; however, the unparameterized DDL lets an attacker potentially write arbitrary tables or drop data. The lack of a public exploit does not negate the risk, and the severity rating recommends remediation.

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.3 or later, which includes a complete fix for the DuckDB export module.
  • Verify that any exported data is generated from trusted input sources before activation of the DuckDB export feature.

Generated by OpenCVE AI on March 19, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49g7-2ww7-3vf5 Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
History

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
Title Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:51:23.479Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32611

cve-icon Vulnrichment

Updated: 2026-03-18T18:51:13.340Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:28.593

Modified: 2026-03-19T19:11:13.467

Link: CVE-2026-32611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:27Z

Weaknesses