CVE-2026-46606 | Glances is an open-source system cross-platform monitoring t… | CVSS 7.8 HIGH

Description

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.

Metadata

CVE ID: CVE-2026-46606
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-15 19:34 UTC
Published: 2026-06-25 18:02 UTC
Last updated: 2026-06-25 18:29 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: nicolargo / glances
Sources: cve.org · NVD

Severity & Metrics

7.8 HIGH CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
nicolargo	glances	—	< 4.5.5

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.8	HIGH	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (2)

https://github.com/nicolargo/glances/security/advisories/GHSA-v5r2-qh84-fjx5 https://github.com/nicolargo/glances/security/advisories/GHSA-v5r2-qh84-fjx5
https://github.com/nicolargo/glances/releases/tag/v4.5.5 https://github.com/nicolargo/glances/releases/tag/v4.5.5