{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T17:52:41.332","vulnerabilities":[{"cve":{"id":"CVE-2026-27635","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T00:16:24.307","lastModified":"2026-02-27T18:36:30.553","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue."},{"lang":"es","value":"Manyfold es una aplicación web de código abierto y autoalojada para gestionar una colección de modelos 3D, particularmente enfocada en la impresión 3D. Antes de la versión 0.133.0, cuando la generación de renderizados de modelos está habilitada, un usuario autenticado puede lograr RCE al subir un archivo ZIP que contiene un archivo con un metacaracter de shell en su nombre. El nombre del archivo llega a una llamada de backtick de Ruby sin sanear. La versión 0.133.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:manyfold:manyfold:*:*:*:*:*:*:*:*","versionEndExcluding":"0.133.0","matchCriteriaId":"6F54584E-5C84-449F-848F-730DC1BECAC2"}]}]}],"references":[{"url":"https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}