Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
Published: 2026-02-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Manyfold’s vulnerability is an operating system command injection that occurs when a ZIP file containing a file with a shell metacharacter in its name is uploaded. The filename is fed directly into a Ruby backtick call without sanitization, allowing an attacker to execute arbitrary shell commands in the rendering backend. This flaw is classified as CWE‑78 and gives the attacker remote code execution privileges once the model render generation feature is enabled.

Affected Systems

All installations of Manyfold before version 0.133.0 are impacted. The application is a self‑hosted web service provided by manyfold3d, and any system that allows authenticated users to upload model render ZIP archives is vulnerable. Version 0.133.0 and later contain the fix.

Risk and Exploitability

The CVSS base score of 7.5 reflects a serious risk, but the EPSS score is below 1%, indicating that the exploitation probability remains low at present. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Attack requires authentication and the use of the render feature; an attacker can craft a ZIP containing a malicious filename such as ;id; to trigger command execution during rendering.

Generated by OpenCVE AI on April 17, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Manyfold to version 0.133.0 or later to apply the vendor’s fix.
  • Disable the model render generation feature until a patch is installed, removing the vulnerable execution path.
  • Validate and sanitize all uploaded ZIP filenames, rejecting names that contain shell metacharacters before processing.

Generated by OpenCVE AI on April 17, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Manyfold
Manyfold manyfold
CPEs cpe:2.3:a:manyfold:manyfold:*:*:*:*:*:*:*:*
Vendors & Products Manyfold
Manyfold manyfold

Thu, 26 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Manyfold3d
Manyfold3d manyfold
Vendors & Products Manyfold3d
Manyfold3d manyfold

Wed, 25 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
Title Manyfold vulnerable to OS command injection via ZIP filename in f3d render
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Manyfold Manyfold
Manyfold3d Manyfold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:52:18.942Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27635

cve-icon Vulnrichment

Updated: 2026-02-26T16:52:13.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:24.307

Modified: 2026-02-27T18:36:30.553

Link: CVE-2026-27635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses