PatchSiren cyber security CVE debrief
CVE-2026-46336 manyfold3d CVE debrief
CVE-2026-46336 is a path traversal vulnerability in Manyfold, a self-hosted web application for managing 3D models. Authenticated users can rename uploaded files with path traversal sequences because app/models/model_file.rb uses the user-controlled filename in File.join(model.path, filename) without sufficient sanitization, allowing files to be moved or written outside the configured library directory. This issue is fixed in version 0.140.0.
- Vendor
- manyfold3d
- Product
- manyfold
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Manyfold 3D model management application, particularly those using versions between 0.96.0 and 0.140.0, should be aware of this vulnerability and take steps to protect their installations.
Technical summary
The Manyfold application, used for managing 3D models, is vulnerable to a path traversal attack. This vulnerability, identified as CVE-2026-46336, allows authenticated users to rename uploaded files using path traversal sequences. The issue arises from the use of user-controlled filenames in the File.join(model.path, filename) function within the app/models/model_file.rb file, without adequate sanitization. This oversight enables attackers to move or write files outside the designated library directory, potentially leading to unauthorized data access or modification.
Defensive priority
High priority should be given to updating Manyfold to version 0.140.0 or later, as this version addresses the path traversal vulnerability. In the interim, users should closely monitor their Manyfold installations for suspicious activity and restrict access to authenticated users.
Recommended defensive actions
- Update Manyfold to version 0.140.0 or later
- Monitor Manyfold installations for suspicious activity
- Restrict access to authenticated users
- Review and adjust file permissions and access controls
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
Evidence notes
The CVE record was published on 2026-07-16T18:16:43.773Z and has not been modified since then. The NVD entry is currently being reviewed. Evidence is limited to public sources and may not reflect the full scope of the vulnerability. Defenders should verify the affected scope and severity with the vendor and consider compensating controls.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T18:16:43.773Z and has not been modified since then.