CVE-2026-32611

Published: Mar 18, 2026 Last Modified: Mar 18, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,0
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: low

Description

AI Translation Available

Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.

89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Confidentiality Integrity Availability Authentication Access Control
Potential Impacts:
Execute Unauthorized Code Or Commands Read Application Data Gain Privileges Or Assume Identity Bypass Protection Mechanism Modify Application Data
Applicable Platforms
Languages: Not Language-Specific, SQL
Technologies: Database Server
Likelihood of Exploit: High
View CWE Details
https://github.com/nicolargo/glances/security/advisories/GH…
https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5
https://github.com/nicolargo/glances/commit/63b7da28895249d…
https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba634…
https://github.com/nicolargo/glances/releases/tag/v4.5.2
https://github.com/nicolargo/glances/releases/tag/v4.5.2
https://github.com/nicolargo/glances/security/advisories/GH…
https://github.com/nicolargo/glances/security/advisories/GHSA-49g7-2ww7-3vf5