{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32611", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.270Z", "datePublished": "2026-03-18T17:21:18.668Z", "dateUpdated": "2026-03-18T18:51:23.479Z"}, "containers": {"cna": {"title": "Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"}, {"name": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c"}, {"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"version": "< 4.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T17:21:18.668Z"}, "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix."}], "source": {"advisory": "GHSA-49g7-2ww7-3vf5", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T18:50:55.560409Z", "id": "CVE-2026-32611", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:51:23.479Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32611", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T18:50:55.560409Z"}}}], "references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:51:13.340Z"}}], "cna": {"title": "Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements", "source": {"advisory": "GHSA-49g7-2ww7-3vf5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"status": "affected", "version": "< 4.5.2"}]}], "references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5", "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c", "name": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T17:21:18.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32611", "state": "PUBLISHED", "dateUpdated": "2026-03-18T18:51:23.479Z", "dateReserved": "2026-03-12T14:54:24.270Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T17:21:18.668Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59", "versionEndExcluding": "4.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix."}], "id": "CVE-2026-32611", "lastModified": "2026-03-19T19:11:13.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T18:16:28.593", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glances", "source": "cna", "vendor": "nicolargo"}, "product": "glances", "vendor": "nicolargo"}], "analysis": {"en": {"generated_at": "2026-03-19T20:25:11.459665+00:00", "value": {"mitigation_remediation": ["Upgrade Glances to version 4.5.3 or later, which includes a complete fix for the DuckDB export module.", "Verify that any exported data is generated from trusted input sources before activation of the DuckDB export feature."], "summary": {"action": "Update", "impact": "SQL Injection via DuckDB Export"}, "threat_synthesis": {"affected_systems": "The affected product is Glances from the vendor 'nicolargo' (CPE: cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*).* All releases prior to version 4.5.3 are vulnerable, including the 4.5.2 release referenced in the advisory. The vulnerability exists in the DuckDB export module located at glances/exports/glances_duckdb/__init__.py.", "description_and_impact": "Glances, an open\u2011source system monitoring tool, has a flaw in the DuckDB export module where table and column names are interpolated directly into DDL statements using f\u2011strings. This unparameterized identifier insertion allows an attacker who can influence monitoring statistics or trigger the export to inject arbitrary SQL. The vulnerability is classified as CVE\u20112026\u201132611 and is a classic SQL injection (CWE\u201189) that can compromise data integrity and confidentiality by allowing malicious DDL operations.", "risk_and_exploitability": "The CVSS score is 7, indicating high severity. The EPSS score is reported as less than 1%, suggesting that exploitation is relatively uncommon. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Attackers would need local or otherwise privileged access to execute the vulnerable export function; however, the unparameterized DDL lets an attacker potentially write arbitrary tables or drop data. The lack of a public exploit does not negate the risk, and the severity rating recommends remediation."}}}}, "created": "2026-03-19T08:56:18.631104+00:00", "updated": "2026-03-24T10:58:27.217904+00:00", "vendors": ["nicolargo", "nicolargo$PRODUCT$glances"]}