SQL injection in glances - CVE-2026-35588
Published: April 21, 2026
Vulnerability identifier: #VU126705
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-35588
CWE-ID: CWE-89
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Nicolas Hennion
Affected software:
glances
glances
Detailed vulnerability description
The vulnerability allows a local privileged user to disclose sensitive information and modify monitoring data destinations.
The vulnerability exists due to improper neutralization of special elements in CQL statements in the Cassandra export module when processing user-controlled configuration values from glances.conf. A local privileged user can supply crafted keyspace, table, or replication_factor values to disclose sensitive information and modify monitoring data destinations.
The issue can silently redirect exported CPU, memory, network, and disk I/O data to an attacker-controlled Cassandra keyspace.
How to mitigate CVE-2026-35588
Install security update from vendor's website.