CVE-2026-27635 Ruby — Exploit & Vulnerability Details HIGH

CVE-2026-27635

HIGH CVSS 3.1: 7.5 EPSS 0.06%

Parameter	Value
CVSS	7.5 (HIGH)
Type	CWE-78 (OS Command Injection)
Vendor	Ruby
Public PoC	No

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized.

Version 0.133.0 fixes the issue.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

High

Difficult to exploit

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-78 OS Command Injection

References 2

https://github.com/manyfold3d/manyfold/releases/tag/v0.133.0

security-advisories@github.com

https://github.com/manyfold3d/manyfold/security/advisories/GHSA-p589-cf26-v7h2

security-advisories@github.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31830

Ruby

7.5

CVE-2026-27614

Ruby

9.3

CVE-2026-2302

Ruby

6.9

CVE-2026-25765

Ruby

5.8

CVE-2026-25757

Ruby

7.7

Menu

CVE-2026-27635

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-31830

CVE-2026-27614

CVE-2026-2302

CVE-2026-25765

CVE-2026-25757

CVE Details

Editor's Choice

Menu

CVE-2026-27635

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

References 2

Related Vulnerabilities

CVE-2026-31830

CVE-2026-27614

CVE-2026-2302

CVE-2026-25765

CVE-2026-25757

CVE Details

Editor's Choice

Stay informed on cybersecurity