Back to overview

CVE-2026-46336

HIGH
7.1
CVSS 3.1
Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences because app/models/model_file.rb uses the user-controlled filename in File.join(model.path, filename) without sufficient sanitization, allowing files to be moved or written outside the configured library directory. This issue is fixed in version 0.140.0.

Metadata

CVE ID
CVE-2026-46336
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-05-13 18:37 UTC
Published
2026-07-16 17:04 UTC
Last updated
2026-07-16 17:04 UTC
Primary CWE
CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product
manyfold3d / manyfold
Sources
cve.org  ·  NVD

Severity & Metrics

7.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Affected products (1)
VendorProductPlatformVersions
manyfold3d manyfold >= 0.96.0, < 0.140.0
Weakness (CWE)
CWESourceDescription
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73 cna CWE-73: External Control of File Name or Path
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
References (4)
Back to overview