python · glancesHeads-up

Glances XML-RPC Server Missing Host Header Validation

The Glances XML-RPC server (glances -s) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks.

23 Jun 2026Read 1 minSeverity: schedule it

What changed

The Glances XML-RPC server (glances -s) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. The REST/WebUI and MCP servers have been patched with Host validation, but the XML-RPC server has not.

Who it affects

Any user whose browser can reach a Glances XML-RPC server and who can be lured to visit an attacker-controlled web page. This includes deployments bound to loopback, LAN, or public IP.

What to do today

Apply the suggested fix by adding Host header validation to GlancesXMLRPCHandler or deprecate the XML-RPC server in favor of the REST API.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · glances

Glances XML-RPC Server Missing Host Header Validation

What changed

Who it affects

What to do today

More on glances

pycti (OpenCTI) security advisory: regex bypass in secureIntrospectionPlugin

motionEye v0.43.1 Path Traversal in Picture and Movie Endpoints