CVE-2026-6593
Remote Cross-Site Scripting in ComfyUI View Endpoint
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| comfyui | comfyui | to 0.13.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in ComfyUI up to version 0.13.0, specifically in an unknown functionality within the file server.py of the View Endpoint component. It allows an attacker to perform a cross-site scripting (XSS) attack by manipulating the system remotely.
The vulnerability can be exploited remotely, and the exploit has been made public. The vendor was notified early but did not respond.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute cross-site scripting attacks remotely, which may lead to the injection of malicious scripts into the application.
Such attacks can result in unauthorized actions performed on behalf of users, session hijacking, or the theft of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the upload of SVG files via the /upload/image endpoint to prevent malicious SVG content from being stored.
Additionally, configure the /view endpoint to properly block or force download of SVG files by adding image/svg+xml to the MIME type blocklist, ensuring that SVG files are served with Content-Disposition: attachment to prevent inline rendering.
If possible, implement input validation to reject or sanitize SVG files before upload.
Until an official patch or fixed version is released, consider restricting access to the /upload/image and /view endpoints to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-6593 allows attackers to execute arbitrary JavaScript in the ComfyUI origin, which can lead to theft of session data including workflows, settings, and preferences, as well as execution of arbitrary API calls and exfiltration of sensitive data.
Such unauthorized access and potential data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the ComfyUI instance allows uploading SVG files via the /upload/image endpoint and then serving them inline via the /view endpoint without proper MIME type blocking.
A practical detection method involves attempting to upload a malicious SVG file containing a simple JavaScript payload (e.g., an alert) and then accessing it through the /view endpoint to see if the script executes.
You can also inspect the HTTP response headers for files served from /view to check if the Content-Type is set to image/svg+xml and if the Content-Disposition header lacks the attachment directive, which would cause inline rendering.
- Use curl or wget to upload an SVG file to /upload/image and then fetch it from /view to observe the response headers and content.
- Example command to upload a file (replace URL and file path accordingly): curl -X POST -F "[email protected]" http://<target>/upload/image
- Example command to fetch and inspect headers: curl -I http://<target>/view/evil.svg
- Check if the Content-Type header is image/svg+xml and if the Content-Disposition header does not include 'attachment', indicating inline rendering.