CVE-2026-27635
HIGH WAF: High
CVSS 8.8
Published: 2026-02-26
CWE-78
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| manyfold | manyfold | up to 0.133.0 |
References
- github.com (Product, Release Notes)
- github.com (Exploit, Vendor Advisory)