CVE-2026-33641

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.3

Description Glances, a system cross-platform monitoring tool, allows for the execution of arbitrary system commands through dynamic configuration values. Specifically, substrings enclosed in backticks within configuration files are executed without validation using the system exec() function. This occurs during configuration parsing in Config.get value(). If an attacker can modify or influence these configuration files, they can execute commands with the privileges of the Glances process. This is particularly dangerous if Glances is running with elevated privileges, potentially leading to privilege escalation. The vulnerable files include glances/config.py and glances/globals.py. A proof of concept demonstrates arbitrary command execution by creating a malicious configuration file containing a command within backticks and launching Glances with this configuration.

Recommendations Update Glances to version 4.5.3 or later.