Description
In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PrusaSlicer is a 3D printing slicing application that converts 3D model files into G‑. A flaw in the PostProcessor component allows an attacker to embed malicious commands within a crafted 3mf project file. When a user loads such a file and exports or previews G‑code, the application inadvertently executes arbitrary code with the privileges of the user running PrusaSlicer. The impact, therefore, is that a local attacker can run any code, potentially installing malware, exfiltrating data or gaining full control of the host. Based on the description, the attack is inferred to be local, requiring the attacker to supply a malicious 3mf file to a system that regularly opens such files for slicing.

Affected Systems

PrusaSlicer versions up to 2.6.1 on Windows, macOS, and Linux.

Risk and Exploitability

The vulnerability enables unrestricted local code execution, giving the attacker full control over the affected system. There is no published exploit score or KEV listing, and the EPSS data is unavailable, but the very high potential impact makes this issue a top priority. The likely attack vector is a local attacker who can supply a malicious 3mf file to a system that routinely opens such files for slicing.

Generated by OpenCVE AI on May 8, 2026 at 06:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PrusaSlicer to the latest release or any version that no longer contains the vulnerable PostProcessor implementation.
  • If a patch is not yet available, avoid opening or importing 3mf files from unknown or untrusted sources before exporting G‑code.
  • Run PrusaSlicer with the least privileges necessary, ideally within a sandbox or container, to limit the scope of potential code execution.

Generated by OpenCVE AI on May 8, 2026 at 06:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Execution of arbitrary code via malicious 3mf file in PrusaSlicer
Weaknesses CWE-78

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T04:51:42.650Z

Reserved: 2023-11-05T00:00:00.000Z

Link: CVE-2023-47268

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T06:16:08.667

Modified: 2026-05-08T06:16:08.667

Link: CVE-2023-47268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:45:03Z

Weaknesses