Description

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

INFO

Published Date :

2026-03-18T06:03:22.153Z

Last Modified :

2026-03-18T15:39:15.123Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32608 vulnerability.

Vendors Products
Nicolargo
  • Glances
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32608.

URL Resource
https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf107 cve-icon cve-icon
https://github.com/nicolargo/glances/releases/tag/v4.5.2 cve-icon cve-icon
https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg7 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact