CVE-2026-27635

Name of the Vulnerable Software and Affected Versions Manyfold versions prior to 0.133.0

Description Manyfold is a self-hosted web application used for managing 3D models, with a focus on 3D printing. Prior to version 0.133.0, a logged-in user could achieve Remote Code Execution (RCE) when model render generation is enabled. This occurs by uploading a ZIP archive containing a file with a shell metacharacter in its filename. The filename is then passed to a Ruby backtick call without proper sanitization. The vulnerable component is the handling of filenames during ZIP archive processing. The filename variable is used in a Ruby backtick call.

Recommendations Versions prior to 0.133.0 should be updated to version 0.133.0 or later.