Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

Manyfold vulnerable to OS command injection via ZIP filename in f3d render

CVE-2026-27635

Description

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.

Affected products

Manyfold3d/Manyfoldllm-fuzzy2 versions
<0.133.0+ 1 more
- (no CPE)range: <0.133.0
- (no CPE)range: < 0.133.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/manyfold3d/manyfold/releases/tag/v0.133.0mitrex_refsource_MISC
github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000