CVE Catalog

CVE-2026-46608

HighCVSS 7.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile — higher than 32% of all known CVEs

Summary

In Glances before version 4.5.5, a vulnerability exists in the XML-RPC server. When the CORS origin list (cors_origins) contains more than one entry, the implementation incorrectly sets the Access-Control-Allow-Origin header to *, allowing access from any origin. A malicious web page can thus read the full system monitoring dataset without the victim's knowledge.

Risk Assessment

The organization risks unauthorized leakage of sensitive system data (e.g., CPU load, memory, processes) to external, potentially malicious websites, which may compromise the confidentiality and security of the IT infrastructure.

Recommendation

Immediately update Glances to version 4.5.5 or later. If an update is not possible, temporarily restrict access to the XML-RPC server via a firewall or configure the cors_origins list with a single entry.

Original NVD description (English source)

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS