CVE-2026-46608
CVE-2026-46608 is a high-severity vulnerability with a CVSS 3.x base score of 7.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-183.
Key facts
- Severity: High (CVSS 3.x base score 7.4)
- EPSS exploit prediction: 0% (32nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-39522
- Weakness: CWE-183
- Published:
- Last modified:
Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
Frequently asked questions
- What is CVE-2026-46608?
- Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
- How severe is CVE-2026-46608?
- CVE-2026-46608 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-46608 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (32nd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-46608?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-46608 have an EU (EUVD) identifier?
- Yes. CVE-2026-46608 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-39522.
- When was CVE-2026-46608 published?
- CVE-2026-46608 was published on 2026-06-25 and last updated on 2026-06-26.
References
- https://github.com/nicolargo/glances/releases/tag/v4.5.5
- https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr
Other CWE-183 vulnerabilities
- CVE-2026-3490 — Critical (CVSS 10.0): picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by…
- CVE-2026-54316 — Critical (CVSS 9.1): Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved…
- CVE-2026-29514 — High (CVSS 8.8): NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the…
- CVE-2026-46391 — High (CVSS 8.7): HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 9.0.1 and prior to version…
- CVE-2025-53762 — High (CVSS 8.7): Permissive list of allowed inputs in Microsoft Purview allows an authorized attacker to elevate privileges over a…
- CVE-2026-59802 — High (CVSS 8.2): PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the…