Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Manyfold 3D Model Manager: Unrestricted File Upload Allows Remote Code Execution
CVE-2026-27635
Summary
Manyfold's model rendering feature allowed hackers to upload malicious files that could take control of servers. This has been fixed in version 0.133.0. Users should update to the latest version to prevent potential security risks.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| manyfold | manyfold | <= 0.133.0 | – |
Original title
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enable...
Original description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
nvd CVSS3.1
8.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0 Product Release Notes
- https://github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2 Exploit Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026