Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Network-facing web app renamable by any authenticated low-privilege user (PR:L, AC:L, UI:N); write/move-only primitive gives I:H and modest A:L with no read, so C:N.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionCVE.org
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. From 0.96.0 until 0.140.0, authenticated users can rename uploaded files with path traversal sequences because app/models/model_file.rb uses the user-controlled filename in File.join(model.path, filename) without sufficient sanitization, allowing files to be moved or written outside the configured library directory. This issue is fixed in version 0.140.0.
AnalysisAI
Path traversal in Manyfold's file-rename functionality (versions 0.96.0 through 0.139.x) lets an authenticated user move or write files outside the configured 3D-model library directory. The flaw stems from app/models/model_file.rb passing a user-controlled filename straight into File.join(model.path, filename) without stripping '..' sequences, giving low-privileged users write/overwrite primitives on the host filesystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated Manyfold account with permission to upload and rename model files (CVSS PR:L), and the attacker must set a file's filename to a value containing path-traversal sequences (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L, base 7.1) describes a network-reachable, low-complexity attack requiring only low-privilege authentication and no user interaction, with high integrity impact (arbitrary file write/move) and low availability impact but no confidentiality loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged Manyfold account uploads a model file and then renames it to a value such as '../../../../etc/passwd' or a path targeting a writable Rails config or startup file. Because the filename is joined to the library path without sanitization, the file is moved or written outside the library directory, letting the attacker overwrite or plant files on the host. … |
| Remediation | Upgrade to Manyfold 0.140.0 or later - Vendor-released patch: v0.140.0 - which adds filename normalization that strips '..' and '.' path segments and sanitizes each remaining component (see PR https://github.com/manyfold3d/manyfold/pull/6122 and commit ed6a53e54926708594c07d222155ac3a22f93174). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory Manyfold deployments and identify running versions; if any version 0.96.0 through 0.139.x is present, immediately revoke file-rename permissions from non-administrative users and review recent file modification logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Manyfold prior to version 0.133.0 allows authenticated users to execute arbitrary commands by u
Session hijacking in Manyfold prior to version 0.133.0 allows unauthenticated attackers to steal user session cookies th
Manyfold versions up to 0.133.1 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44989