manyfold

v0.140.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 21d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

3d-printing dam digital-asset-management obj-files rails self-hosted

+3 more

stl stl-files three-js

Affected surfaces

rce_ssrf

ReleasePort's take

Light signal

editorial:auto 13d

v0.140.0 fixes path traversal vulnerabilities in file renaming operations. Release also adds model entrypoint configuration and improved file grouping with subdirectories.

Why it matters: Path traversal vulnerability in file renaming is patched. Update to v0.140.0 to secure file operations against unauthorized file placement.

Summary

AI summary

Sanitize filenames to prevent path traversal attacks when renaming files.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Sanitize filenames to prevent path traversal attacks when renaming files. Sanitize filenames to prevent path traversal attacks when renaming files. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	Specify custom anchor text for links. Specify custom anchor text for links. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Specify main entrypoint file and starting XRFragment for models. Specify main entrypoint file and starting XRFragment for models. Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	Load and save entrypoint data to/from datapackage. Load and save entrypoint data to/from datapackage. Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	Updated OpenAPI definition. Updated OpenAPI definition. Source: llm_adapter@2026-05-21 Confidence: low	—
Deprecation	Medium	None explicitly listed in changelog. None explicitly listed in changelog. Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	Fix file grouping issues with subdirectories. Fix file grouping issues with subdirectories. Source: llm_adapter@2026-05-21 Confidence: high	—

Full changelog

This release includes some features requested by XRForge, a system for hosting XR content which is built atop a custom Manyfold configuration. There's also a high-priority security bugfix to prevent path traversal attacks when renaming files.

On the feature side, you can now specify the text to be used for links, rather than just showing the domain or the preset text we have for some sites. You can also now specify a main "entrypoint" file for a model (a bit like index.html for web pages) and a starting XRFragment, which is pretty handy when hosting virtual environments!

What's Changed

✨ New Features ✨

Add optional anchor text for links by @Floppy in https://github.com/manyfold3d/manyfold/pull/6109
XRFragments entrypoint support by @Floppy in https://github.com/manyfold3d/manyfold/pull/6110

🔒 Security 🔒

Sanitize filenames to avoid path traversal and other security issues by @Floppy in https://github.com/manyfold3d/manyfold/pull/6122

🐛 Bug Fixes 🐛

Fix file grouping with subdirectories by @Floppy in https://github.com/manyfold3d/manyfold/pull/6121

🌍 Internationalization 🌏

Translations updated: de by @Floppy in https://github.com/manyfold3d/manyfold/pull/6107

🛠️ Other Improvements 🛠️

OpenAPI definition updated by @Floppy in https://github.com/manyfold3d/manyfold/pull/6117
Load/save entrypoint data to/from datapackage by @Floppy in https://github.com/manyfold3d/manyfold/pull/6116

Full Changelog: https://github.com/manyfold3d/manyfold/compare/v0.139.3...v0.140.0

Security Fixes

Sanitize filenames to avoid path traversal and other security issues

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track manyfold

Get notified when new releases ship.

About manyfold

A self-hosted digital asset manager for 3d print files.

All releases →