cvedb.io
CVE-2026-33641
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-04-02T15:16:40.040 · Last modified 2026-06-17T10:37:49.903

Summary

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.

Affected products

nicolargo — glances

Does this affect you?

Add your gear to cvedb and we'll alert you only when nicolargo ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.