Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
ComfyUI: User Data Exposed to Attack via Malicious Code Injection
CVE-2026-6592
Summary
A security flaw in ComfyUI's user data management system allows an attacker to inject malicious code, potentially stealing or manipulating sensitive user information. This could happen if you're using ComfyUI version 0.13.0 or earlier. Update to the latest version as soon as possible to fix this issue.
Original title
A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulat...
Original description
A vulnerability has been found in ComfyUI up to 0.13.0. Affected by this vulnerability is the function getuserdata of the file app/user_manager.py of the component userdata Endpoint. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
4.0
nvd CVSS3.1
3.5
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
CWE-94
Code Injection
Published: 20 Apr 2026 · Updated: 20 Apr 2026 · First seen: 20 Apr 2026