Vulnerability Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nicolargo | Glances | < 4.5.4 |
Related Weaknesses (CWE)
References
- https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23dPatch
- https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01Patch
- https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7ExploitMitigationVendor Advisory
- https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-35588?
CVE-2026-35588 is a vulnerability with a CVSS score of 6.3 (MEDIUM). Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`,...
How severe is CVE-2026-35588?
CVE-2026-35588 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35588?
Check the references section above for vendor advisories and patch information. Affected products include: Nicolargo Glances.