CVE-2026-33641: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nicolargo glances
CVE-2026-33641 is an OS command injection vulnerability in the open-source monitoring tool Glances prior to version 4. 5. 3. The vulnerability arises because Glances supports dynamic configuration values where substrings enclosed in backticks are executed as system commands without validation. An attacker able to modify or influence configuration files can execute arbitrary commands with the privileges of the Glances process, potentially leading to privilege escalation if Glances runs with elevated rights. This issue has been fixed in Glances version 4. 5. 3.
AI Analysis
Technical Summary
Glances versions before 4.5.3 allow execution of arbitrary system commands during configuration parsing due to unvalidated dynamic configuration values enclosed in backticks. The vulnerability exists in the Config.get_value() function, which executes these commands without restriction. If an attacker can alter configuration files, they can execute commands with the same privileges as the Glances process, which may be elevated if run as a system service. This OS command injection vulnerability is tracked as CVE-2026-33641 and has a CVSS 3.1 base score of 7.8 (high severity). The issue is resolved in version 4.5.3.
Potential Impact
Successful exploitation allows an attacker who can modify or influence Glances configuration files to execute arbitrary OS commands with the privileges of the Glances process. If Glances runs with elevated privileges, this can lead to privilege escalation, compromising system confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade Glances to version 4.5.3 or later, where this vulnerability is patched. Until the upgrade is applied, restrict access to Glances configuration files to trusted users only to prevent unauthorized modification. No other vendor advisories or temporary mitigations are provided.
CVE-2026-33641: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nicolargo glances
Description
CVE-2026-33641 is an OS command injection vulnerability in the open-source monitoring tool Glances prior to version 4. 5. 3. The vulnerability arises because Glances supports dynamic configuration values where substrings enclosed in backticks are executed as system commands without validation. An attacker able to modify or influence configuration files can execute arbitrary commands with the privileges of the Glances process, potentially leading to privilege escalation if Glances runs with elevated rights. This issue has been fixed in Glances version 4. 5. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Glances versions before 4.5.3 allow execution of arbitrary system commands during configuration parsing due to unvalidated dynamic configuration values enclosed in backticks. The vulnerability exists in the Config.get_value() function, which executes these commands without restriction. If an attacker can alter configuration files, they can execute commands with the same privileges as the Glances process, which may be elevated if run as a system service. This OS command injection vulnerability is tracked as CVE-2026-33641 and has a CVSS 3.1 base score of 7.8 (high severity). The issue is resolved in version 4.5.3.
Potential Impact
Successful exploitation allows an attacker who can modify or influence Glances configuration files to execute arbitrary OS commands with the privileges of the Glances process. If Glances runs with elevated privileges, this can lead to privilege escalation, compromising system confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade Glances to version 4.5.3 or later, where this vulnerability is patched. Until the upgrade is applied, restrict access to Glances configuration files to trusted users only to prevent unauthorized modification. No other vendor advisories or temporary mitigations are provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.620Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de3360d
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/10/2026, 12:01:16 AM
Last updated: 5/20/2026, 8:52:18 PM
Views: 31
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.