Description
A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Cross‑site scripting (XSS)
Action: Upgrade ComfyUI
AI Analysis

Impact

A vulnerability in ComfyUI, present in versions up to 0.13.0, allows a remote attacker to inject arbitrary script code through the getuserdata function of the userdata endpoint. The flaw arises from insufficient input validation, falling under CWE‑79 and CWE‑94. Successful exploitation could enable reflected or stored XSS, enabling an attacker to steal session cookies, deface pages, or execute further malicious actions within the victim’s browser context.

Affected Systems

Any installation of ComfyUI whose version is 0.13.0 or earlier is vulnerable. The affected component is the getuserdata function in the userdata endpoint (app/user_manager.py).

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk. The EPSS score is not available, so the likelihood of widespread exploitation remains uncertain, though the vulnerability is publicly disclosed and has been observed in the wild. Since it is not listed in the CISA KEV catalog the package is not formally recognized as a known exploit, yet the remote attack vector via HTTP and the absence of a vendor fix raise concerns. The attack would typically involve sending a crafted payload to the userdata endpoint, triggering the browser to execute the embedded script, potentially leading to information theft or session hijack.

Generated by OpenCVE AI on April 20, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the installed ComfyUI version and confirm it is at or above 0.13.0.
  • If an updated release is available, upgrade ComfyUI to the latest version that resolves this issue.
  • As an interim measure, restrict or disable access to the userdata endpoint, or implement server‑side input sanitization or enforce a Content Security Policy to mitigate script execution.

Generated by OpenCVE AI on April 20, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ComfyUI userdata Endpoint user_manager.py getuserdata cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T01:15:14.548Z

Reserved: 2026-04-19T09:44:12.706Z

Link: CVE-2026-6592

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T02:16:15.230

Modified: 2026-04-20T02:16:15.230

Link: CVE-2026-6592

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T04:00:09Z

Weaknesses