CVE-2026-33641 in glances
要約 (英語)
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
責任者
GitHub_M
予約する
2026年03月23日
公開
2026年04月02日
ステータス
確認済み
エントリ
VulDB provides additional information and datapoints for this CVE:
| 識別子 | 脆弱性 | CWE | 悪用可 | 対策 | CVE |
|---|---|---|---|---|---|
| 354891 | nicolargo glances Configuration Config.get_value 特権昇格 | 78 | 未定義 | 公式な修正 | CVE-2026-33641 |