SCA: security update for Glances (GHSA-7p93-6934-f4q7)

high Tenable Self-Hosted Container Security Plugin ID 440912

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-
RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every
HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-
controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a
valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the
XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's
JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses,
CPU/memory/disk/network stats, and the full process list including command lines (which often contain
tokens, passwords, or internal paths). This issue has been patched in version 4.5.3. (CVE-2026-33533)

Solution

Update the Glances library and its related packages to version 4.5.3 or later.

See Also

https://github.com/advisories/GHSA-7p93-6934-f4q7

Plugin Details

Severity: High

ID: 440912

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 4/27/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-33533

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 5.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2026

Vulnerability Publication Date: 3/30/2026

Reference Information

CVE: CVE-2026-33533

cwe: CWE-942