Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.

INFO

Published Date :

2026-04-02T14:57:51.120Z

Last Modified :

2026-04-02T16:22:08.154Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33641 vulnerability.

Vendors Products
Nicolargo
  • Glances
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33641.

URL Resource
https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6 cve-icon cve-icon
https://github.com/nicolargo/glances/releases/tag/v4.5.3 cve-icon cve-icon
https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact