Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.
Published: 2026-06-25
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Glances, an open‑source cross‑platform monitoring tool, has a command injection flaw in its KVM/QEMU engine; the engine interpolates VM domain names directly into shell command templates without sanitization, allowing any user who can create or rename a virtual machine to execute arbitrary commands as the OS user running Glances, typically root on hypervisor hosts. This vulnerability is classified as CWE‑78 – Improper Neutralization of Input During Command Construction.

Affected Systems

Vendors affected are those running Glances version 4.5.4 and earlier, notably the nicolargo:glances product. The flaw is present in all systems prior to the 4.5.5 release, which contains the patch that sanitizes or otherwise protects the command construction process.

Risk and Exploitability

The issue carries a CVSS score of 7.8, indicating quite a high severity. Though no EPSS score is available, the lack of KEV listing suggests no widespread exploitation has been reported, yet the vulnerability remains easily exploitable in environments where users can create or rename VM domain names; the exploitation requires local privileges on the host but results in code execution as the Glances user, which is often root, making it high impact.

Generated by OpenCVE AI on June 25, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.5 or later, which fixes the injection flaw.
  • If upgrading immediately is not possible, run Glances under a non‑privileged user to limit the damage potential of command injection.
  • Limit or audit the permissions of users who can create or rename KVM/QEMU virtual machines so that only trusted administrators can modify VM domain names.

Generated by OpenCVE AI on June 25, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5r2-qh84-fjx5 Glances is Vulnerable to Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.
Title Glances: Command Injection via KVM/QEMU VM Domain Names in glances/plugins/vms/engines/virsh.py
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:29:51.267Z

Reserved: 2026-05-15T19:34:14.011Z

Link: CVE-2026-46606

cve-icon Vulnrichment

Updated: 2026-06-25T18:29:46.224Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')