VYPR

Comfyui

by Comfyanonymous

Source repositories

CVEs (10)

  • CVE-2026-6591MedApr 20, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible.…

  • CVE-2026-6590MedApr 20, 2026
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was detected in ComfyUI up to 0.13.0. This impacts the function get_model_preview of the file app/model_manager.py of the component Model Preview Endpoint. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public…

  • CVE-2026-6589MedApr 20, 2026
    risk 0.28cvss 4.3epss 0.00

    A security vulnerability has been detected in ComfyUI up to 0.13.0. This affects the function create_origin_only_middleware of the file server.py. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed publicly…

  • CVE-2025-6092MedJun 15, 2025
    risk 0.28cvss 4.3epss 0.00

    A vulnerability was found in comfyanonymous comfyui up to 0.3.39. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /upload/image of the component Incomplete Fix CVE-2024-10099. The manipulation of the argument image…

  • CVE-2026-6593LowApr 20, 2026
    risk 0.23cvss 3.5epss 0.00

    A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit…

  • CVE-2026-6592LowApr 20, 2026
    risk 0.23cvss 3.5epss 0.00

    A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulation leads to cross site scripting. The attack can be executed remotely. The…

  • CVE-2025-6107LowJun 16, 2025
    risk 0.20cvss 3.1epss 0.00

    A vulnerability was found in comfyanonymous comfyui 0.3.40. It has been classified as problematic. Affected is the function set_attr of the file /comfy/utils.py. The manipulation leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The…

  • CVE-2024-12882Mar 20, 2025
    risk 0.00cvss epss 0.01

    comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and `GET /view`, allowing attackers to abuse the victim server's…

  • CVE-2024-10481Mar 20, 2025
    risk 0.00cvss epss 0.00

    A CSRF vulnerability exists in comfyanonymous/comfyui versions up to v0.2.2. This vulnerability allows attackers to host malicious websites that, when visited by authenticated ComfyUI users, can perform arbitrary API requests on behalf of the user. This can be exploited to…

  • CVE-2024-10099Oct 17, 2024
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in comfyanonymous/comfyui version 0.2.2 and possibly earlier. The vulnerability occurs when an attacker uploads an HTML file containing a malicious XSS payload via the `/api/upload/image` endpoint. The payload is executed…