CVE-2026-32611

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.3

Description Glances, a system cross-platform monitoring tool, contains a SQL injection issue in the DuckDB export module. The TimescaleDB export module was previously fixed for SQL injection by using parameterized queries, but this fix was not applied to the DuckDB export module. Table and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings, specifically in the DDL construction and table name references. While INSERT values use parameterized queries, the table name and column names are not escaped or parameterized. This issue could lead to data integrity compromise or unauthorized table creation. The vulnerability exists because stat dictionary keys, potentially sourced from external data in future plugins, are used without proper sanitization in SQL queries.

Recommendations Update to Glances version 4.5.3 or later.