Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences because app/models/model_file.rb uses the user-controlled filename in File.join(model.path, filename) without sufficient sanitization, allowing files to be moved or written outside the configured library directory. This issue is fixed in version 0.140.0.

Project Subscriptions

Vendors Products
Manyfold3d Subscribe
Manyfold Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 16 Jul 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Manyfold3d
Manyfold3d manyfold
Vendors & Products Manyfold3d
Manyfold3d manyfold

Thu, 16 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Description Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences because app/models/model_file.rb uses the user-controlled filename in File.join(model.path, filename) without sufficient sanitization, allowing files to be moved or written outside the configured library directory. This issue is fixed in version 0.140.0.
Title Manyfold: Authenticated Path Traversal via File Rename
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-16T17:04:31.056Z

Reserved: 2026-05-13T18:37:30.989Z

Link: CVE-2026-46336

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T18:30:04Z

Weaknesses