PYSEC-2026-2167

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/glances/PYSEC-2026-2167.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2167
Aliases
Published
2026-03-18T07:16:21.447Z
Modified
2026-07-13T07:15:31.492684142Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., {{name}}, {{key}}) that are populated with runtime monitoring data. The secure_popen() function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to subprocess.Popen(shell=False). Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

References

Affected packages

PyPI / glances

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2

Affected versions

1.*
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4
1.4.1
1.4.1.1
1.4.2
1.4.2.1
1.5
1.5.1
1.5.2
1.6
1.6.1
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
2.*
2.0
2.0.1
2.1
2.1.1
2.1.2
2.2
2.2.1
2.3
2.4
2.4.1
2.4.2
2.5
2.5.1
2.6
2.6.1
2.6.2
2.7
2.7.1
2.8
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.9.0
2.9.1
2.10
2.11
2.11.1
3.*
3.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.4.1
3.1.5
3.1.6
3.1.6.1
3.1.6.2
3.1.7
3.2.0
3.2.1
3.2.2
3.2.3
3.2.3.1
3.2.4
3.2.4.1
3.2.4.2
3.2.5
3.2.6.1
3.2.6.2
3.2.6.3
3.2.6.4
3.2.7
3.3.0
3.3.0.1
3.3.0.2
3.3.0.3
3.3.0.4
3.3.1
3.3.1.1
3.4.0
3.4.0.1
3.4.0.2
3.4.0.3
3.4.0.4
3.4.0.5
4.*
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.3.0
4.3.0.1
4.3.0.3
4.3.0.4
4.3.0.5
4.3.0.6
4.3.0.7
4.3.0.8
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.5.0
4.5.0.1
4.5.0.2
4.5.0.3
4.5.0.4
4.5.0.5
4.5.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/glances/PYSEC-2026-2167.yaml"