CVE Catalog

CVE-2026-46606

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

12th percentile — higher than 12% of all known CVEs

Summary

Glances is a system monitoring tool that prior to version 4.5.5 had a vulnerability in the KVM/QEMU monitoring engine. VM domain names were passed into command templates without proper sanitization, allowing users with the ability to create or rename virtual machines to execute arbitrary commands.

Risk Assessment

Users with access to create or modify virtual machines can gain access to the operating system running Glances, posing a serious security risk, especially when Glances runs with root privileges.

Recommendation

It is recommended to update Glances to version 4.5.5 or later to mitigate this vulnerability. Additionally, consider restricting user permissions for creating and modifying virtual machines.

Original NVD description (English source)

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS