Critical severity10.0NVD Advisory· Published Dec 13, 2024· Updated Apr 15, 2026

CVE-2024-21576

Description

ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bmad4ever/comfyui_bmad_nodes/blob/392af9490cbadf32a1fe92ff820ebabe88c51ee8/cv_nodes.pynvd

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000