Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

manyfold

Source -

CNANVD

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

3
Related CVEsRelated VendorsRelated AssignersReports
3Vulnerabilities found
CVE-2026-28225
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 7.62%
||
7 Day CHG~0.00%
Published-26 Feb, 2026 | 22:40
Updated-27 Feb, 2026 | 18:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Manyfold has IDOR in ModelFilesController

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.

Action-Not Available
Vendor-manyfoldmanyfold3d
Product-manyfoldmanyfold
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-27933
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-6.8||MEDIUM
EPSS-0.03% / 8.36%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 23:16
Updated-27 Feb, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Manyfold vulnerable to session hijack via cookie leakage in proxy caches

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.

Action-Not Available
Vendor-manyfoldmanyfold3d
Product-manyfoldmanyfold
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-27635
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-7.5||HIGH
EPSS-0.05% / 14.56%
||
7 Day CHG~0.00%
Published-25 Feb, 2026 | 23:10
Updated-27 Feb, 2026 | 18:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Manyfold vulnerable to OS command injection via ZIP filename in f3d render

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.

Action-Not Available
Vendor-manyfoldmanyfold3d
Product-manyfoldmanyfold
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')