Glances is an open‑source system monitoring application that, until version 4.5.3, processed configuration entries containing back‑ticked substrings as shell commands. The parsing routine executs these commands without any validation or restriction. As a result, any attacker who can modify or influence the configuration files can insert arbitrary shell commands that run with the privileges of the Glances process during startup or when the configuration is reloaded. If Glances is executed as a system service or under an elevated account, this flaw can lead to privilege escalation, allowing the attacker to execute commands with administrative rights on the host.

All installations of nicolargo Glances prior to version 4.5.3 are affected. Users operating the application with elevated privileges, such as system services or users with administrative rights, are at higher risk because the executed commands inherit those privileges. The vulnerability is not limited to a single instance; any host running an old Glances binary is potentially vulnerable.

The CVSS v3.1 base score of 7.8 indicates high severity. Epistemical probability data (EPSS) is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector requires the ability to modify or influence the Glances configuration files; no network‑based exploitation path is documented in the input. Therefore, if an attacker has local or remote write access to the configuration location, they can trigger arbitrary command execution. The lack of input validation and the potential for elevated execution make exploitation feasible and dangerous, particularly in environments where Glances runs with system‑level privileges.