Glances is a cross-platform open-source system monitoring tool that supports exporting monitoring data to TimescaleDB, a time-series database built on PostgreSQL. Prior to version 4.5.1, the TimescaleDB export module in Glances constructs SQL queries by concatenating strings that include system monitoring data such as process names, filesystem mount points, network interface names, and container names. The normalize() method attempts to wrap string values in single quotes but fails to escape embedded single quotes within these values. This improper neutralization of special characters (CWE-89) leads to a trivial SQL injection vulnerability. An attacker who can control or influence monitored data fields can inject malicious SQL commands, potentially compromising the database's confidentiality, integrity, and availability. The vulnerability does not require authentication or user interaction but does require local or container-level access to supply crafted data. The CVSS 4.0 base score is 7.3 (high severity), reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. The issue was publicly disclosed on March 10, 2026, and fixed in Glances 4.5.1. No known exploits are currently reported in the wild.

The SQL injection vulnerability in Glances' TimescaleDB export module can allow attackers to execute arbitrary SQL commands on the backend database. This can lead to unauthorized disclosure of sensitive monitoring data, data tampering, or denial of service by corrupting or deleting database contents. Organizations relying on Glances for system monitoring and storing data in TimescaleDB are at risk of database compromise if running affected versions. Since Glances is often deployed in server environments and containers, attackers with local or container access can exploit this flaw to escalate their privileges or move laterally by compromising monitoring infrastructure. The impact is significant for organizations that rely on accurate and secure monitoring data for operational and security decisions. Additionally, compromised monitoring data integrity can hinder incident response and forensic investigations.

The primary mitigation is to upgrade Glances to version 4.5.1 or later, where the vulnerability is fixed by properly escaping embedded single quotes in SQL queries. Organizations should audit their deployments to identify any instances running affected versions. For environments where immediate upgrade is not feasible, consider disabling the TimescaleDB export feature temporarily to eliminate the attack surface. Additionally, restrict local and container access to trusted users only, as exploitation requires the ability to supply attacker-controlled data. Implement network segmentation and monitoring to detect anomalous database queries. Database permissions should be minimized to limit the impact of any injection. Finally, consider employing Web Application Firewalls or SQL query monitoring tools that can detect and block suspicious SQL injection attempts targeting the monitoring infrastructure.