NIXPKGS-2026-1197

GitHub issue published on

Permalink CVE-2026-35588

6.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): HIGH
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): LOW

updated 1 week ago by @LeSuisse Activity log

Created suggestion 1 week, 1 day ago
@LeSuisse ignored
5 packages
- python312Packages.glances-api
- python313Packages.glances-api
- python314Packages.glances-api
- home-assistant-component-tests.glances
- tests.home-assistant-components.glances
1 week ago
@LeSuisse accepted 1 week ago
@LeSuisse published on GitHub 1 week ago

Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.

References

https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7 x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160 x_refsource_MISC
https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c x_refsource_MISC

Affected products

glances

==< 4.5.4

Matching in nixpkgs

pkgs.glances

Cross-platform curses-based monitoring tool

nixos-unstable 4.5.3.2
- nixpkgs-unstable 4.5.3.2
- nixos-unstable-small 4.5.3.2
nixos-25.11 4.3.3
- nixos-25.11-small 4.3.3
- nixpkgs-25.11-darwin 4.3.3