Description
In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
Published: 2026-05-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PrusaSlicer is a 3D printing slicing application that converts 3D model files into G‑code. A flaw in the PostProcessor component allows an attacker to embed malicious commands within a crafted 3mf project file. When a user loads such a file and exports or previews G‑code, the application inadvertently executes arbitrary code with the privileges of the user running PrusaSlicer. The impact, therefore, is that a local attacker can run any code, potentially installing malware, exfiltrating data or gaining full control of the host. Based on the description, the attack is inferred to be local, requiring the attacker to supply a malicious 3mf file to a system that regularly opens such files for slicing.

Affected Systems

PrusaSlicer versions up to 2.6.1 on Windows, macOS, and Linux.

Risk and Exploitability

The vulnerability enables unrestricted local code execution, giving the attacker full control over the affected system. The CVSS score is 5.3, the EPSS score is <1%, and there is no KEV listing. The potential impact still makes this issue a top priority. The likely attack vector is a local attacker who can supply a malicious 3mf file to a system that routinely opens such files for slicing.

Generated by OpenCVE AI on May 8, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PrusaSlicer to the latest release or any version that no longer contains the vulnerable PostProcessor implementation.
  • If a patch is not yet available, avoid opening or importing 3mf files from unknown or untrusted sources before exporting G‑code.
  • Run PrusaSlicer with the least privileges necessary, ideally within a sandbox or container, to limit the scope of potential code execution.

Generated by OpenCVE AI on May 8, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Prusa3d
Prusa3d prusaslicer
CPEs cpe:2.3:a:prusa3d:prusaslicer:*:*:*:*:*:*:*:*
Vendors & Products Prusa3d
Prusa3d prusaslicer

Fri, 08 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Arbitrary Code Execution via Malformed 3MF File in PrusaSlicer

Fri, 08 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Execution of arbitrary code via malicious 3mf file in PrusaSlicer
Weaknesses CWE-78

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Execution of arbitrary code via malicious 3mf file in PrusaSlicer
Weaknesses CWE-78

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
References

Subscriptions

Prusa3d Prusaslicer
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T17:07:37.996Z

Reserved: 2023-11-05T00:00:00.000Z

Link: CVE-2023-47268

cve-icon Vulnrichment

Updated: 2026-05-08T17:06:52.978Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T06:16:08.667

Modified: 2026-05-11T12:58:54.733

Link: CVE-2023-47268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T16:00:20Z

Weaknesses