SCA: security update for Glances (GHSA-vcv2-q258-wrg7)

high Tenable Cloud Security Plugin ID 438846

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Glances is an open-source system cross-platform monitoring tool. The Glances action system allows
administrators to configure shell commands that execute when monitoring thresholds are exceeded. These
commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime
monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe,
redirect, and chain operator handling by splitting the command string before passing each segment to
`subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name,
filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered
command is split in unintended ways, allowing an attacker who controls a process name or container name to
inject arbitrary commands. Version 4.5.2 fixes the issue. (CVE-2026-32608)

Solution

Update the Glances library and its related packages to version 4.5.2 or later.

See Also

https://github.com/advisories/GHSA-vcv2-q258-wrg7

Plugin Details

Severity: High

ID: 438846

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 3/16/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-32608

CVSS v3

Risk Factor: High

Base Score: 7

Temporal Score: 6.3

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/16/2026

Vulnerability Publication Date: 3/16/2026

Reference Information

CVE: CVE-2026-32608

cwe: CWE-78