CVE-2026-30930: Glances has SQL Injection via Process Names in TimescaleDB Export
(updated )
The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.
Root Cause: The normalize() function uses f"’{value}’" for string values without escaping single quotes within the value. The resulting strings are concatenated into INSERT queries via string formatting and executed directly with cur.execute() — no parameterized queries are used.
References
- github.com/advisories/GHSA-x46r-mf5g-xpr6
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/39161f0d6fd723d83f534b48f24cdca722573336
- github.com/nicolargo/glances/releases/tag/v4.5.1
- github.com/nicolargo/glances/security/advisories/GHSA-x46r-mf5g-xpr6
- nvd.nist.gov/vuln/detail/CVE-2026-30930
Code Behaviors & Features
Detect and mitigate CVE-2026-30930 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →