CVE-2026-35588
6.3
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nicolargo | glances | < 4.5.4 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7
- https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160
- https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.