CVE-2026-30930
Published: 10 March 2026
Summary
CVE-2026-30930 is a critical-severity SQL Injection (CWE-89) vulnerability in Nicolargo Glances. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching Glances to version 4.5.1 directly remediates the SQL injection vulnerability in the TimescaleDB export module.
Requires validation and sanitization of attacker-controlled system monitoring data like process names before SQL query construction, preventing injection via unescaped single quotes.
Vulnerability scanning identifies deployments of vulnerable Glances versions prior to 4.5.1 for timely remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a remotely exploitable monitoring export module (AV:N/PR:N) directly enables initial access via exploitation of a public-facing or network-accessible application component.
NVD Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded…
more
single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is fixed in 4.5.1.
Deeper analysisAI
CVE-2026-30930 is a SQL injection vulnerability (CWE-89) in the TimescaleDB export module of Glances, an open-source cross-platform system monitoring tool. Versions prior to 4.5.1 construct SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but fails to escape embedded single quotes, enabling trivial injection through attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-10.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. By controlling monitored system data that Glances collects and exports to TimescaleDB, attackers can inject malicious SQL payloads, potentially compromising the confidentiality, integrity, and availability of the database with high impact.
The vulnerability is fixed in Glances version 4.5.1, as detailed in the project's security advisory (GHSA-x46r-mf5g-xpr6), release notes, and the patching commit. Security practitioners should upgrade affected installations to mitigate the issue.
Details
- CWE(s)