CVE-2026-33533— Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33533
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Source: NVD (National Vulnerability Database)
Vulnerability Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
过度许可的跨域白名单
Source: NVD (National Vulnerability Database)
Vulnerability Title
glances 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
glances是Nicolas Hennion个人开发者的一款系统监测工具。 Glances 4.5.3之前版本存在安全漏洞,该漏洞源于XML-RPC服务器缺少Content-Type验证和CORS配置不当,可能导致数据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33533
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33533
请登录查看更多情报信息。
- Release Glances 4.5.3 · nicolargo/glances · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-33533
IV. Related Vulnerabilities
Same product: glances
- CVE-2026-35588
Glances has CQL Injection in its Cassandra Export Module via - CVE-2026-35587
Glances IP Plugin has SSRF via public_api that leads to cred - CVE-2026-34839
Glances Vulnerable to Cross-Origin Information Disclosure vi - CVE-2026-33641
Glances Vulnerable to Command Injection via Dynamic Configur - CVE-2026-32634
Glances Central Browser Autodiscovery Leaks Reusable Credent
Same vendor: nicolargo
- CVE-2026-35588
Glances has CQL Injection in its Cassandra Export Module via - CVE-2026-35587
Glances IP Plugin has SSRF via public_api that leads to cred - CVE-2026-34839
Glances Vulnerable to Cross-Origin Information Disclosure vi - CVE-2026-33641
Glances Vulnerable to Command Injection via Dynamic Configur - CVE-2026-32634
Glances Central Browser Autodiscovery Leaks Reusable Credent
Same weakness: CWE-942
- CVE-2026-7643
ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain po - CVE-2026-7581
alexta69 MeTube CORS Policy main.py on_prepare cross-domain - CVE-2026-41056
AVideos has CORS Origin Reflection with Credentials on Sensi - CVE-2026-6662
ericc-ch copilot-api Token Endpoint server.ts cors cross-dom - CVE-2026-6143
farion1231 cc-switch ProxyServer server.rs cross-domain poli
V. Comments for CVE-2026-33533
No comments yet