PT-2026-22040 · Manyfold · Manyfold
Byamb4
·
Published
2026-02-25
·
Updated
2026-03-03
·
CVE-2026-27635
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Manyfold versions prior to 0.133.0
Description
Manyfold is a self-hosted web application used for managing 3D models, with a focus on 3D printing. Prior to version 0.133.0, a logged-in user could achieve Remote Code Execution (RCE) when model render generation is enabled. This occurs by uploading a ZIP archive containing a file with a shell metacharacter in its filename. The filename is then passed to a Ruby backtick call without proper sanitization. The vulnerable component is the handling of filenames during ZIP archive processing. The
filename variable is used in a Ruby backtick call.Recommendations
Versions prior to 0.133.0 should be updated to version 0.133.0 or later.
Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Manyfold