Description
A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Cross Site Scripting
Action: Apply Patch
AI Analysis

Impact

A flaw in the View Endpoint server.py of ComfyUI allows an attacker to inject arbitrary JavaScript by manipulating the server request, resulting in cross‑site scripting when the resource is accessed. This vulnerability can be exploited remotely and the corresponding exploit has been made publicly available, indicating that attackers can trigger it from a distance without local access or privileged credentials.

Affected Systems

All installations of ComfyUI up to and including version 0.13.0 are affected. The issue resides within the server.py component of the View Endpoint and exists in releases prior to 0.13.0 as well as the 0.13.0 release itself.

Risk and Exploitability

The CVSS score of 5.1 reflects a moderate risk level. The EPSS score is not published, and the vulnerability is not listed in CISA KEV. The attack vector is remote, meaning an attacker can initiate the exploitation from outside the system, and the fact that the exploit has been released to the public suggests that the likelihood of real‑world attacks may increase over time.

Generated by OpenCVE AI on April 20, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest ComfyUI release that contains the server.py fix; if no patch is deployed yet, plan to replace the vulnerable component with a secure alternative.
  • Disable the View Endpoint or limit access to trusted users only until a formal patch or remediation is applied.
  • Implement input validation or deploy a web application firewall rule to block malicious cross‑site scripting payloads on the server.py route.

Generated by OpenCVE AI on April 20, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ComfyUI View Endpoint server.py cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T01:30:17.995Z

Reserved: 2026-04-19T09:44:16.689Z

Link: CVE-2026-6593

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T02:16:15.437

Modified: 2026-04-20T02:16:15.437

Link: CVE-2026-6593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T04:00:09Z

Weaknesses