Glances 4.5.4

Bug corrected:

• Cannot set warning/critical temperature for a specific sensor #3525
• Memory percentage and used displayed as negative numbers #3358
• Incorrect Docker container count via Homeassistant Integration #3433
• Fix LXD filter excluding containers on standalone hosts #3529

Enhancements:

• Add Rockchip MPP plugin for hardware encoder/decoder monitoring #3514
• Clamp memory used/percent to non-negative values for LXC containers #3505
• Support single-core Rockchip NPU load parsing and improve device naming #3499

Security patches:

• SSRF in Glances IP Plugin via public_api leads to credential leakage - Correct CVE-2026-35587
• Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) - Correct CVE-2026-34839
• fix(cassandra): validate keyspace/table/replication_factor to prevent CQL injection - Correct CVE-2026-35588 #3520

Continious integration and documentation:

• pycache file is put in wheel #3516
• Remove dead code #3507

Thanks to all the contributors for this version: csvke, Christian Rishøj,
duriantaco, Julio César Suástegui, Paul and morimori-dev.

Glances 4.5.3

Bug corrected:

• Internal Server Error (Web Server Mode) #3502
• Container plugin crashes with docker.errors.NullResource on Podman pod infra containers #3498
• [ALERTS] Sometime the top process list is not the good one #3481

Enhancements:

• Support for LXC/LXD containers #3480
• Add export to ClickHouse #3320

Security patches:

• Command Injection via Dynamic Configuration Values - Mitigate CVE-2026-33641
• Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard - Mitigate CVE-2026-33533

Continious integration and documentation:

• Use sys.executable in the testsuite #3497
• Add unit tests for LXD container engine #3487
• Replace Py-Spy per Memray for FlameGraph generation
• Make the WebUI build before the packages and Docker images build
• Harden GitHub Actions workflows: minimal permissions, SHA pins, timeouts

Thanks to all the contributors for this version: Christian Rishøj, Jeongwoo Kim, Ofek Gabay, Steve Kowalik, Tanishq Shah, Mithun M.

Glances 4.5.2

Bug corrected

• System display error on "little" terminal #3469

Security patches

• Default CORS Configuration Allows Cross-Origin Credential Theft - Correct CVE-2026-32610
• Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials - Correct CVE-2026-32609
• REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding - Correct CVE-2026-32632
• Unauthenticated API Exposure / Add warning message on startup - Correct CVE-2026-32596
• SQL Injection in DuckDB Export via Unparameterized DDL Statements - Correct CVE-2026-32611
• Command Injection via Process Names in Action Command Templates - Correct CVE-2026-32608
• Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers - Correct CVE-2026-32634
• Browser API Exposes Reusable Downstream Credentials via - Correct CVE-2026-32633

Breaking changes

This release addresses 8 security vulnerabilities (see below). Several of the mitigations change observable behaviour. Users who run Glances in web server or API mode (-w / --enable-webserver) should read the items below before upgrading.

CVE-2026-32632 Host header validation is now enforced on the built-in web server. Requests whose Host header does not match localhost or 127.0.0.1 will be rejected with HTTP 400 by default. Users accessing Glances through a reverse proxy, a custom hostname, or a non-loopback IP address must declare the allowed values with the new allowed_hosts key in the [outputs] section of glances.conf (comma-separated list). This was already required for the MCP server since 4.5.1; it now also applies to the main REST/WebUI server.

CVE-2026-32610 The default CORS policy is now restrictive. Previously, the server replied with Access-Control-Allow-Origin: * which allowed any web page to issue credentialed cross-origin requests against the API. The wildcard is removed. Users running third-party web dashboards or custom front-ends on a different origin must explicitly list allowed origins with the cors_origins key in the [outputs] section of glances.conf.

CVE-2026-32609 Sensitive fields are now redacted on unauthenticated API responses. The /api/4/args and /api/4/config endpoints no longer return password hashes, SSL key paths, or SNMP community strings to callers that have not authenticated. Scripts and integrations that relied on reading these values from the API must now authenticate (token or password) to receive them.

CVE-2026-32633 and CVE-2026-32634 The Browser (multi-server mode) no longer forwards configured credentials to remote Glances servers, whether discovered via Zeroconf or listed in the [serverlist] section. Credentials are only sent after the user explicitly logs in to an individual server. Automated setups that relied on transparent credential propagation must switch to per-server authentication.

CVE-2026-32596 A WARNING is now printed to stdout at startup when the REST API is running without authentication (no --password and no API token configured). This is an informational message; the unauthenticated mode itself is unchanged and remains the default for private-network deployments. Startup scripts or monitoring pipelines that treat any stderr/stdout output as a failure may need to be updated.

CVE-2026-32611 The DuckDB export module now uses parameterized DDL statements. Table names derived from plugin or metric names are sanitized before use. Existing DuckDB databases whose table names contained characters that were previously interpolated verbatim may need to be recreated.

CVE-2026-32608 Process names used in [action] command templates are now shell-escaped before substitution. Templates that relied on unescaped special characters in process names to construct compound shell expressions will no longer behave as before.

Thanks to @psyberck for the UI patch and @DhiyaneshGeek / @restriction for CVEs reports.

Glances 4.5.1

Release date: March 2026
Milestone: [#91](https://github.com/nicolargo/glances/milestone/91?closed=1)
21 issues & pull requests closed

---

Overview

Glances 4.5.1 is a stability and quality release that addresses regressions introduced
in the 4.5.0.x series, fixes cross-platform compatibility issues (OpenBSD, macOS, Snap),
and ships several community-driven enhancements — most notably Intel GPU monitoring,
Docker container health alerting, and per-plugin min/max/mean statistics.

---

🐛 Bug Fixes

Plugins

• DiskIO — crash on OpenBSD ([#3452](#3452))
  A regression introduced in 4.5.0.5 caused Glances to crash on OpenBSD when the DiskIO
  plugin was active. The root cause was an unguarded attribute access in msg_curse().
  Fixed and covered by an additional test case.

• DiskIO — empty args not handled in msg_curse() ([#3429](#3429))
  A TypeError would be raised in specific runtime configurations where args was not yet
  populated when msg_curse() was called. A safe default is now enforced.

• Filesystem — KeyError: '/etc/hostname' on get_view ([#3470](#3470))
  Certain bind-mounted or virtual paths (e.g. /etc/hostname inside containers) could
  trigger a KeyError in the FS plugin's view logic. The lookup is now guarded with a
  safe fallback.

• Sensors — show/hide by alias name broken ([#3439](#3439))
  Filtering sensors by alias name via the configuration file had no effect in some
  configurations. Sensor aliasing and the associated hide/show logic are now correctly
  applied together.

• SMART — non-uniform key types cause TypeError with InfluxDB2 export ([#3449](#3449))
  Mixed integer/string key types in the SMART plugin's device stats dict were causing a
  TypeError when exporting to InfluxDB2. Key types are now normalized before export.

Web UI

• Fahrenheit display incorrect in WebUI ([#3450](#3450))
  Temperature values were not properly converted to Fahrenheit in the Web UI when the
  --fahrenheit option was set. The unit conversion is now applied consistently on the
  frontend side.

Snap Packaging

• AMD GPU plugin: PermissionError on /usr/share/libdrm/amdgpu.ids ([#3456](#3456))
  Glances packaged as a Snap would refuse to start on systems with an AMD GPU because the
  GPU plugin attempted to open a file outside the Snap sandbox. The exception is now
  caught at the correct level (open() rather than f.read()), preventing the crash at
  startup.

• NVIDIA GPU not detected under Snap ([#3292](#3292))
  The Snap package was missing the opengl interface declaration in snapcraft.yaml,
  preventing the NVIDIA GPU plugin from accessing the required device nodes under strict
  confinement. The interface is now correctly declared.

MCP Server

• DNS rebinding protection blocks external MCP clients ([#3467](#3467))
  The MCP server was rejecting connections from external hosts because the underlying SSE
  transport's DNS rebinding protection only allowed localhost by default. A new
  mcp_allowed_hosts configuration key (parsed in GlancesRestfulApi.load_config() and
  forwarded via TransportSecuritySettings) lets operators explicitly whitelist external
  hostnames, following the same pattern as cors_origins.

---

✨ Enhancements

Intel GPU Monitoring ([#994](#994))

Intel GPU metrics are now supported in the GPU plugin, closing a long-standing feature
request. The implementation follows the multi-vendor reader architecture, joining the
existing NVIDIA and AMD backends.

Docker Container Health Status & Alerts ([#3402](#3402))

The containers plugin now surfaces Docker's native health check status (healthy,
unhealthy, starting) and integrates it with Glances' alert system so that unhealthy
containers trigger visible warnings in the TUI and API.

VM Plugin — libvirt Support in Docker Image ([#3427](#3427) / [#3436](#3436))

The official Glances Docker image now includes the libvirt-client toolchain, enabling
the VMs plugin to discover and monitor KVM/QEMU virtual machines when the host's
libvirt socket is bind-mounted into the container.

SMART Plugin — DeviceName Key Added ([#3457](#3457))

Each SMART device entry now carries an explicit DeviceName field, making device
identification unambiguous in exports (InfluxDB, CSV, etc.) and the REST API.

Per-Plugin Min / Max / Mean Statistics ([#3462](#3462))

All plugins now compute and expose min, max, and mean values accumulated since
Glances startup. These aggregate metrics are available via the REST API and can be used
for lightweight trend analysis without requiring a full time-series export stack.

CPU Plugin — Improved Display on macOS ([#3464](#3464))

The CPU plugin's TUI and WebUI rendering has been improved for macOS, where certain
fields (e.g. steal, guest) are not available. The layout now adapts gracefully to
the subset of metrics exposed by the platform rather than showing empty or misleading
columns.

History — --enable-history Flag Restored ([#3416](#3416))

The --enable-history CLI flag was silently ignored in recent releases. It is now
correctly wired to the graph export backend, restoring the ability to write per-plugin
time-series data to disk from the command line.

---

🔧 Code Quality & Refactoring

• JSON serializer hardened ([#3454](#3454))
  The internal JSON serializer now performs comprehensive type normalization (e.g.
  numpy scalars, Decimal, non-serializable objects) before encoding, preventing
  silent data corruption or export failures. Covered by a new test suite.

• split_esc cyclomatic complexity reduced ([#3461](#3461))
  The split_esc() utility function in glances_globals was refactored to lower its
  cyclomatic complexity, improving readability and reducing the risk of regressions in
  escape-sequence parsing.

• Plugin tests added to Makefile ([#3446](#3446))
  Individual plugin test targets are now available via make test-plugins, making it
  easier for contributors and CI pipelines to run focused plugin-level regression checks.

---

📖 Documentation

• Code block formatting fixed in docs ([#3447](#3447))
  Several documentation pages contained malformed fenced code blocks. Formatting has been
  corrected for proper rendering on GitHub and ReadTheDocs.

---

Upgrade Notes

This is a drop-in replacement for 4.5.0.x. No configuration file changes are required
unless you want to take advantage of the new mcp_allowed_hosts option.

Snap users are strongly encouraged to upgrade: the AMD GPU startup crash and the
NVIDIA GPU detection fix are both included and require no manual intervention beyond
refreshing the snap package.

---

Contributors

Many thanks to all the contributors who reported issues and submitted pull requests for
this release:

[@YamiYukiSenpai](https://github.com/YamiYukiSenpai),
[@amzon-ex](https://github.com/amzon-ex),
[@axodentally](https://github.com/axodentally),
[@fpusan](https://github.com/fpusan),
[@janusn](https://github.com/janusn),
[@kleinmatic](https://github.com/kleinmatic),
[@lcheylus](https://github.com/lcheylus),
[@lubomir-moric](https://github.com/lubomir-moric),
[@mark-rahal](https://github.com/mark-rahal),
[@mikemhenry](https://github.com/mikemhenry),
[@Ambika-Patidar](https://github.com/Ambika-Patidar),
[[@AbdelhamidKhald...

Glances 4.5.0

Warning: Glances 4.5.0 has been removed and replaced by Glances 4.5.0.1.

I'm excited to announce the release of Glances 4.5.0, featuring 40 completed issues and pull requests! This release brings significant new features, important bug fixes, and major improvements to stability and security.

🆕 New Features

Advanced Monitoring Capabilities:

• ZFS Monitoring - Native support for ZFS filesystem monitoring
• NPU Monitoring - Track Neural Processing Unit performance
• NVMe Support - Enhanced monitoring for NVMe drives
• DuckDB Export - New export option to DuckDB database
• CPU Core Assignment - See which CPU core each process is running on in the process list

Security & API:

• API Token Authentication - Secure your RestfulAPI server with token-based authentication
• Security Hardening - Fixed Jinja2 and timeout vulnerabilities (B701, B113)
• Clear-text logging fix - Improved handling of sensitive information in logs

🐛 Major Bug Fixes

• Fixed CPU speed/max speed display issues in WebUI
• Corrected TIME+ showing incorrect large values in WebUI
• Resolved KeyError: 'used' exception in ASGI application
• Fixed InfluxDB export type mismatches for AMPs
• Corrected Quicklook behavior when psutil.cpu_freq().max=0.0
• Fixed SNMP discovery with -c parameter
• Resolved fetch option incompatibility with client/server mode

✨ Improvements

• Code Quality - Significant code complexity reduction and refactoring
• AMD GPU Support - Better GPU name detection from amdgpu.ids
• Docker - Improved build pipeline
• UI/UX - Removed empty space issues with Quicklook plugin
• Testing - Added comprehensive unit tests for core plugins
• Documentation - New Jupyter notebook for the Glances API
• Packaging - Updated license to SPDX format

📦 Get It Now

pip install --upgrade glances

Or pull the latest Docker image:

docker pull nicolargo/glances:latest

Full changelog available on the [GitHub milestone page](https://github.com/nicolargo/glances/milestone/88?closed=1).

Special thanks to all contributors who made this release possible! 🙏

As always, feedback and bug reports are welcome on our [GitHub issues page](https://github.com/nicolargo/glances/issues).

---

Note: If you find Glances useful, consider [sponsoring the project](https://github.com/sponsors/nicolargo) to support its continued development!

Glances 4.4.1

Full Changelog: v4.4.0...v4.4.1

Glances 4.4.0

What's Changed

Breaking changes:

• A new Python API is now available to use Glances as a Python lib in your hown development #3237
• In the process list, the long command line is now truncated by default. Use the arrow keys to show the full command line. SHIFT + arrow keys are used to switch between column sorts (TUI).
• Prometheus export format is now more user friendly (see detail in #3283)

Enhancements:

• Make a Glances API in order to use Glances as a Python lib #3237
• Add a new --fetch (neofetch like) option to display a snapshot of the current system status #3281
• Show used port in container section #2054
• Show long command line with arrow key #1553
• Sensors plugin refresh by default every 10 seconds
• Do not call update if a call is done to a specific plugin through the API #3033
• [UI] Process virtual memory display can be disable by configuration #3299
• Choose between used or available in the mem plugin #3288
• [Experimental] Add export to DuckDB database #3205
• Add Disk I/O Latency stats #1070
• Filter fields to export #3258
• Remove .keys() from loops over dicts #3253
• Remove iterator helpers #3252

Bug corrected:

• [MACOS] Glances not showing Processes on MacOS #3100
• Last dev build broke Homepage API calls ? only 1 widget still working #3322
• Cloud plugin always generate communication with 169.254.169.254, even if the plugin is disabled #3316
• API response delay (3+ minutes) when VMs are running #3317
• [WINDOWS] Glances do not display CPU stat correctly #3155
• Glances hangs if network device (NFS) is no available #3290
• Fix prometheus export format #3283
• Issue #3279 zfs cache and memory math issues #3289
• [MACOS] Glances crashes when I try to filter #3266
• Glances hang when killing process with muliple CTRL-C #3264
• Issues after disabling system and processcount plugins #3248
• Headers missing from predefined fields in TUI browser machine list #3250
• Add another check for the famous Netifaces issue - Related to #3219
• Key error 'type' in server_list_static.py (load_server_list) #3247

Continuous integration and documentation:

• Glances now use uv for the dev environment #3025
• Glances is compatible with Python 3.14 #3319
• Glances provides requirements files with specific versions for each release
• Requirements files are now generated dynamically with the make requirements or requirements-upgrade target
• Add duplicate line check in pre-commit (strange behavor with some VScode extension)
• Solve issue with multiprocessing exception with Snap package
• Add a test script for identify CPU consumption of sensor plugin
• Refactor port to take into account netifaces2
• Correct issue with Chrome driver in WebUI unit test
• Upgrade export test with InfluxDB 1.12
• Fix typo of --export-process-filter help message #3314
• In the outdated feature, catch error message if Pypi server not reachable
• Add unit test for auto_unit
• Label error in docs #3286
• Put WebUI conf generator in a dedicated script
• Refactor the Makefile to generate WebUI config file for all webui targets
• Update sensors documentation #3275
• Update docker compose env quote #3273
• Update docker-compose.yml #3249
• Update API doc generation
• Update README with nice icons #3236
• Add documentation for WebUI test

New Contributors

• @korn3r made their first contribution in #3249
• @lawrence-c made their first contribution in #3273
• @timrettop made their first contribution in #3275
• @jmwallach made their first contribution in #3286
• @DeepSpace2 made their first contribution in #3283
• @syohex made their first contribution in #3314
• @nicolargo

Full Changelog: v4.3.3...v4.4.0

Glances 4.3.3

What's Changed

• glances: refactor start() by @ariel-anieli in #3131
• Updates 4/6/2025: FreeBSD Section - Glances - An Eye on your System by @kenrmayfield in #3141
• Update dependency ubuntu to v24 by @renovate[bot] in #3066
• Update dependency windows to v2025 by @renovate[bot] in #3148
• Update actions/stale action to v9 by @renovate[bot] in #3108
• Update docker/build-push-action action to v6 by @renovate[bot] in #3070
• Ignore unsupported line endings in password file by @Destarianon in #3151
• Revision of confusing descriptions in the SMART section of the document by @wuhgit in #3152
• plugins: mem: reduce code complexity by @ariel-anieli in #3159
• Fix matching problem when fs config has "show" value by @nguuuquaaa in #3160
• plugins: connections: refactor by @ariel-anieli in #3161
• Revert "plugins: connections: refactor" by @nicolargo in #3162
• plugins: connections: refactor, version 2 by @ariel-anieli in #3163
• Fix the sorting of containers by @ariel-anieli in #3179
• plugins: containers; Refactor by @ariel-anieli in #3180
• podman: docker: Remove iterator helpers by @ariel-anieli in #3183
• globals: Fix a race condition in namedtuple_to_dict by @ariel-anieli in #3185
• outputs: containers: Refactor by @ariel-anieli in #3188
• glances: removal of iterators helpers in processes.py & stats_client_snmp.py by @ariel-anieli in #3187
• chore(deps): update alpine docker tag to v3.22 by @renovate[bot] in #3189
• glances: amps: Removal of iterator helpers, refactor by @ariel-anieli in #3190
• Change "Pinned thread" to "Pinned task" and "Upin" to "Unpin" by @ia74 in #3191
• Update plugin containers display and order #3186 by @fr4nc0is in #3192
• [Snyk] Fix for 8 vulnerabilities by @nicolargo in #3184
• [Snyk] Security upgrade h11 from 0.14.0 to 0.16.0 by @nicolargo in #3195
• fix(deps): update dependency pysnmp-lextudio to <6.3.1 by @renovate[bot] in #3107
• exports: Removed iterator helpers by @Boris-Okassa in #3197

New Contributors

• @kenrmayfield made their first contribution in #3141
• @Destarianon made their first contribution in #3151
• @wuhgit made their first contribution in #3152
• @nguuuquaaa made their first contribution in #3160
• @ia74 made their first contribution in #3191

Full Changelog: v4.3.2...v4.3.3

Glances 4.3.2

Overview of the TUI:

Overview of the WebUI:

Enhancements:

• Add stats about running VMS (qemu/libvirt/kvm support through virsh) #1531
• Add support for InfluxDB 3 Core #3182
• (postgre)SQL export support / TimeScaleDB #2814
• CSV column name now include the plugin name - Related to #2394
• Make all results from amps plugins exportable #2394
• Make --stdout (csv and json) compliant with client/server mode #3235
• API history endpoints shows times without timezone #3218
• FR: Sort Sensors my name in proper number order #3132
• In the FS module, do not display threshold for volume mounted in 'ro' (read-only) #3143
• Add a new field in the process list to identifie Zombie process #3178
• Update plugin containers display and order #3186
• Implement a basic memory cache with TTL for API call (set to ~1 second) #3202
• Add container inactive_file & limit to InfluxDB2 export #3206

Bug corrected:

• [GPU] AMD Plugin: Operation not permitted #3125
• Container memory stats not displayed #3142
• [WEBUI] Irix mode (per core instead of per CPU percentage) not togglable #3158
• Related to iteritems, itervalues, and iterkeys are not more needed in Python 3 #3181
• Glances Central Browser should use name instead of IP adress for redirection #3103
• Glances breaks if Podman container is started while it is running #3199

Continious integration and documentation:

• Add a new option --print-completion to generate shell tab completion - #3111
• Improve Restful API documentation embeded in FastAPI #2632
• Upgrade JS libs #3147
• Improve unittest for CSV export #3150
• Improve unittest for InfluxDB plugin #3149
• Code refactoring - Rename plugin class to Plugin instead of PluginModel #3169
• Refactor code to limit the complexity of update_views method in plugins #3171

Thanks to all contributors and bug reporters !

Special thanks to:

• Ariel Otilibili
• kenrmayfield

Glances 4.3.1

Enhancements:

• [WebUI] Top processes extended stats and processes filter in Web server mode #410
• I'd like a feature to make the forground color for colored background white #3119
• -disable-bg in ~/.config/glances.conf #3113
• Entry point in the API to get extended process stats #3095
• Replace netifaces by netifaces-plus dependencies #3053
• Replace docker by containers in glances-grafana-flux.json #3118

Bug corrected:

• default_config_dir: Fix config path to include glances/ directory #3106
• Cannot set warning/critical temperature for a specific sensor needs test #3102
• Try to reduce latency between stat's update and view - #3086
• Error on Cloud plugin initialisation make TUI crash #3085

Continious integration:

• Add Selenium to test WebUI #3044
• netifaces (deprecated) is replaced by netifaces2

Thanks to all contributors and bug reporters !

Special thanks to:

• Alexander Kuznetsov
• Jonathan Chemla
• mizulike