Primary

Context

ComfyUI Cross-Site Scripting Vulnerability in View Endpoint

Vulnerability

A stored cross-site scripting vulnerability has been identified in ComfyUI versions through 0.13.0. The issue resides in the View Endpoint of the server.py file, where an incomplete MIME type blocklist allows SVG files to be uploaded and executed as JavaScript in the context of the application. This vulnerability bypasses previous XSS mitigations and could be exploited remotely.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files execute embedded JavaScript when accessed, potentially leading to session data theft, unauthorized API calls, and data exfiltration.

Reproduction

To reproduce this vulnerability, upload a malicious SVG file containing JavaScript into ComfyUI via the image upload endpoint. Then, access the file through the view endpoint, which will execute the embedded script, demonstrating the cross-site scripting vulnerability.

Added: Apr 20, 2026, 2:18 AM

Updated: Apr 20, 2026, 2:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.2

remediation

0.0

relevance

6.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

6.2

remediation

0.0

relevance

6.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ComfyUI Cross-Site Scripting Vulnerability in View Endpoint

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating