Upstream information

CVE-2026-53925 at MITRE

Description

Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from glances.conf, those values are passed directly to secure_popen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via >), chain arbitrary commands (via &&), or pipe command output to arbitrary programs (via |). This vulnerability is fixed in 4.5.5.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (GitHub)
Base Score 7.8
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1268984 [IN_PROGRESS]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • glances-common >= 4.5.5-1.1
  • python311-Glances >= 4.5.5-1.1
  • python313-Glances >= 4.5.5-1.1
  • python314-Glances >= 4.5.5-1.1
Patchnames:
openSUSE-Tumbleweed-2026-11122


SUSE Timeline for this CVE

CVE page created: Wed Jun 24 00:03:12 2026
CVE page last modified: Sat Jun 27 19:28:05 2026