Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue.

CVE Database V5

Detailed information about CVE-2026-27933: CWE-613: Insufficient Session Expiration in manyfold3d manyfold affecting manyfold3d manyfold. Get real-time updates,

CVE-2026-27933: CWE-613: Insufficient Session Expiration in manyfold3d manyfold - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27933: CWE-613: Insufficient Session Expiration in manyfold3d manyfold

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.0, when model render generation is enabled, a logged-in user can achieve RCE by uploading a ZIP containing a file with a shell metacharacter in its name. The filename reaches a Ruby backtick call unsanitized. Version 0.133.0 fixes the issue.

Detailed information about CVE-2026-27635: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in manyfold3d many

CVE-2026-27635: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in manyfold3d manyfold - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27635: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in manyfold3d manyfold

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 have a Denial of Service (DoS) vulnerability via memory exhaustion. Unauthenticated remote attackers can send an HTTP POST request to the server with an exceptionally large `Content-Length` header (e.g., `2147483647`). The server continuously allocates memory for the request body (`EntityBody`) while streaming the payload without enforcing any maximum limit, leading to all available memory being consumed and causing the server to crash. Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxEntityBodySize` limit (set to 10MB) for the maximum size of accepted payloads. As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a Web Application Firewall (WAF) or reverse proxy (like nginx or Cloudflare) configured to explicitly limit the maximum allowed HTTP request body size (e.g., `client_max_body_size` in nginx).

Detailed information about CVE-2026-27633: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb affecting maximmasiutin TinyWeb. Get real-time up

CVE-2026-27633: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27633: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb

TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service (DoS) attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate request timeout. An unauthenticated remote attacker can exhaust server concurrency limits and memory by opening numerous connections and sending data exceptionally slowly (e.g. 1 byte every few minutes). Anyone hosting services using TinyWeb is impacted. Version 2.02 fixes the issue. The patch introduces a `CMaxConnections` limit (set to 512) and a `CConnectionTimeoutSecs` idle timeout (set to 30 seconds). As a temporary workaround if upgrading is not immediately possible, consider placing the server behind a robust reverse proxy or Web Application Firewall (WAF) such as nginx, HAProxy, or Cloudflare, configured to buffer incomplete requests and aggressively enforce connection limits and timeouts.

Detailed information about CVE-2026-27630: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb affecting maximmasiutin TinyWeb. Get real-time up

CVE-2026-27630: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-27630: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb

CVE-2026-3209 is a medium severity vulnerability in fosrl Pangolin versions up to 1. 15. 4-s. 3, caused by improper access controls in the Role Handler component functions verifyRoleAccess and verifyApiKeyRoleAccess. This flaw allows remote attackers to bypass role-based access restrictions without authentication or user interaction, potentially leading to unauthorized access to sensitive functions or data. The vulnerability has been publicly disclosed but no known exploits are currently active in the wild. Upgrading to version 1. 15. 4-s. 4, which includes a patch identified by commit 5e37c4e85fae68e756be5019a28ca903b161fdd5, mitigates the issue.

CVE-2026-3209 is a vulnerability in the fosrl Pangolin software, specifically in the Role Handler component's functions verifyRoleAccess and verifyApiKeyRoleAccess. These functions are responsible for enforcing role-based access controls and API key role validations. Due to improper implementation, attackers can manipulate these functions to bypass access restrictions, gaining unauthorized privileges remotely without requiring authentication or user interaction. The vulnerability affects versions 1.15.4-s.0 through 1.15.4-s.3. The flaw arises from insufficient validation of role assignments and API key permissions, allowing attackers to escalate privileges or access restricted resources. The vulnerability was publicly disclosed on February 25, 2026, and a patch was released in version 1.15.4-s.4, identified by the commit 5e37c4e85fae68e756be5019a28ca903b161fdd5. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. Organizations using affected versions should upgrade promptly to mitigate potential unauthorized access risks.

Detailed information about CVE-2026-3209: Improper Access Controls in fosrl Pangolin affecting fosrl Pangolin. Get real-time updates, technical details, and mit

CVE-2026-3209: Improper Access Controls in fosrl Pangolin - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-3209: Improper Access Controls in fosrl Pangolin

Malwarebytes Binisoft Windows Firewall Control before 6.9.9.2 allows remote attackers to execute arbitrary code via gRPC named pipes.

Detailed information about CVE-2024-25089: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2024-25089: n/a

CVE-2024-25089: n/a

Description

Technical Details

Community Reviews

Related Threats

CVE-2026-27933: CWE-613: Insufficient Session Expiration in manyfold3d manyfold

CVE-2026-27635: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in manyfold3d manyfold

CVE-2026-27633: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb

CVE-2026-27630: CWE-400: Uncontrolled Resource Consumption in maximmasiutin TinyWeb

CVE-2026-3209: Improper Access Controls in fosrl Pangolin

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility