Search criteria
3 vulnerabilities by manyfold3d
CVE-2026-28225 (GCVE-0-2026-28225)
Vulnerability from cvelistv5 – Published: 2026-02-26 22:40 – Updated: 2026-02-27 18:33
VLAI
Title
Manyfold has IDOR in ModelFilesController
Summary
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/manyfold3d/manyfold/security/a… | x_refsource_CONFIRM |
| https://github.com/manyfold3d/manyfold/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| manyfold3d | manyfold |
Affected:
< 0.133.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28225",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:18:53.353142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:33:16.833Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "manyfold",
"vendor": "manyfold3d",
"versions": [
{
"status": "affected",
"version": "\u003c 0.133.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T22:40:17.996Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-v8pw-3r2f-3fqm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-v8pw-3r2f-3fqm"
},
{
"name": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.1"
}
],
"source": {
"advisory": "GHSA-v8pw-3r2f-3fqm",
"discovery": "UNKNOWN"
},
"title": "Manyfold has IDOR in ModelFilesController"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28225",
"datePublished": "2026-02-26T22:40:17.996Z",
"dateReserved": "2026-02-25T15:28:40.650Z",
"dateUpdated": "2026-02-27T18:33:16.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27933 (GCVE-0-2026-27933)
Vulnerability from cvelistv5 – Published: 2026-02-25 23:16 – Updated: 2026-02-26 16:45
VLAI
Title
Manyfold vulnerable to session hijack via cookie leakage in proxy caches
Summary
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.
Severity
6.8 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-613 - Insufficient Session Expiration
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/manyfold3d/manyfold/security/a… | x_refsource_CONFIRM |
| https://github.com/manyfold3d/manyfold/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| manyfold3d | manyfold |
Affected:
< 0.133.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27933",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:45:19.118722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:45:33.523Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "manyfold",
"vendor": "manyfold3d",
"versions": [
{
"status": "affected",
"version": "\u003c 0.133.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613: Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T23:16:01.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-g949-hmvj-2r76",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-g949-hmvj-2r76"
},
{
"name": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0"
}
],
"source": {
"advisory": "GHSA-g949-hmvj-2r76",
"discovery": "UNKNOWN"
},
"title": "Manyfold vulnerable to session hijack via cookie leakage in proxy caches"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27933",
"datePublished": "2026-02-25T23:16:01.572Z",
"dateReserved": "2026-02-25T03:11:36.688Z",
"dateUpdated": "2026-02-26T16:45:33.523Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27635 (GCVE-0-2026-27635)
Vulnerability from cvelistv5 – Published: 2026-02-25 23:10 – Updated: 2026-02-26 16:52
VLAI
Title
Manyfold vulnerable to OS command injection via ZIP filename in f3d render
Summary
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/manyfold3d/manyfold/security/a… | x_refsource_CONFIRM |
| https://github.com/manyfold3d/manyfold/releases/t… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| manyfold3d | manyfold |
Affected:
< 0.133.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27635",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T16:52:07.119879Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T16:52:18.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "manyfold",
"vendor": "manyfold3d",
"versions": [
{
"status": "affected",
"version": "\u003c 0.133.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T23:10:27.951Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2"
},
{
"name": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0"
}
],
"source": {
"advisory": "GHSA-p589-cf26-v7h2",
"discovery": "UNKNOWN"
},
"title": "Manyfold vulnerable to OS command injection via ZIP filename in f3d render"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27635",
"datePublished": "2026-02-25T23:10:27.951Z",
"dateReserved": "2026-02-20T22:02:30.028Z",
"dateUpdated": "2026-02-26T16:52:18.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}