SB2026042155 - Multiple vulnerabilities in glances

Description

This security bulletin contains information about 2 vulnerabilities.

1) SQL injection (CVE-ID: CVE-2026-30930)

The vulnerability allows a local user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the TimescaleDB export module when processing unsanitized system monitoring data in SQL queries. A local user can create a process or other monitored resource with a specially crafted name to execute arbitrary SQL commands.

Exploitation is possible through attacker-controlled values such as process names, filesystem mount points, network interface names, or container names.

2) Improper access control (CVE-ID: CVE-2026-30928)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/4/config REST API endpoint when handling requests to retrieve configuration data. A remote attacker can send a request to the endpoint to disclose sensitive information.

The endpoint returns the parsed configuration file without filtering or redacting secrets, exposing credentials such as database passwords, API tokens, JWT signing keys, and SSL key passwords.

Remediation

Install update from vendor's website.

References

• https://github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
• https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6