CVE-2026-46606
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Glances is a system monitoring tool that prior to version 4.5.5 had a vulnerability in the KVM/QEMU monitoring engine. VM domain names were passed into command templates without proper sanitization, allowing users with the ability to create or rename virtual machines to execute arbitrary commands.
Risk Assessment
Users with access to create or modify virtual machines can gain access to the operating system running Glances, posing a serious security risk, especially when Glances runs with root privileges.
Recommendation
It is recommended to update Glances to version 4.5.5 or later to mitigate this vulnerability. Additionally, consider restricting user permissions for creating and modifying virtual machines.
Original NVD description (English source)
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances KVM/QEMU monitoring engine (glances/plugins/vms/engines/virsh.py) passes VM domain names, read directly from virsh list --all output, into f-string command templates that are processed by secure_popen(). secure_popen() is explicitly designed to interpret &&, |, and > as shell operators. Because domain names are never sanitised before interpolation, any user with the ability to create or rename a KVM/QEMU virtual machine can execute arbitrary commands as the OS user running Glances — commonly root on hypervisor hosts. This vulnerability is fixed in 4.5.5.

