Vulnerability Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Manyfold | Manyfold | < 0.133.1 |
Related Weaknesses (CWE)
References
- https://github.com/manyfold3d/manyfold/releases/tag/v0.133.1ProductRelease Notes
- https://github.com/manyfold3d/manyfold/security/advisories/GHSA-v8pw-3r2f-3fqmMitigationVendor AdvisoryExploit
FAQ
What is CVE-2026-28225?
CVE-2026-28225 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesCont...
How severe is CVE-2026-28225?
CVE-2026-28225 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28225?
Check the references section above for vendor advisories and patch information. Affected products include: Manyfold Manyfold.