Bounties
Partners
Community
Info
comfyanonymous / comfyui
Project repository
The most powerful and modular diffusion model GUI, api and backend with a graph/nodes interface.
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
22 DAYS
FIX
WITHIN
N/A DAYS
SSRF in ComfyUI-Manager install_model
May 18th 2026
wulonchia-pro
•
self closed
Test SSRF
May 18th 2026
wulonchia-pro
•
self closed
Unauthenticated /system_stats endpoint exposes runtime environment and process a...
May 18th 2026
massy-o
•
self closed
Arbitrary file read via path traversal in get_annotated_filepath
Apr 26th 2026
bersechub
•
self closed
Arbitrary file write via path traversal in dataset save nodes
Mar 29th 2026
amanverasia
•
duplicate
High
Arbitrary file write via path traversal in dataset nodes
Mar 29th 2026
buttergolemcode
•
duplicate
Critical
Unsafe Deserialization via torch.load() in ComfyUI Dataset Loading Leads to Remo...
Mar 16th 2026
elucidator-hky
•
self closed
CSRF Protection Bypass via Origin: null in Sandboxed Iframes Enables Remote Code...
Jun 9th 2026
aviral2642
•
pending
Unhandled Exception in get_dir_by_type() Causes Server Error on Upload Endpoint
Jun 8th 2026
xjin1020
•
pending
Sensitive Information Exposure via sys.argv in /system_stats Endpoint
Jun 8th 2026
xjin1020
•
duplicate
Medium
Path Traversal in /experiment/models/preview/ Allows Reading Arbitrary Image Fil...
Jun 8th 2026
xjin1020
•
pending
Unsafe torch.load() Without weights_only=True Enables Arbitrary Code Execution v...
Jun 7th 2026
mom3gool2030
•
pending
Unauthenticated arbitrary file read via path traversal in get_annotated_filepath
Mar 29th 2026
sn1r
•
duplicate
High
Unsafe deserialization via bare torch.load in ComfyUI model and checkpoint loadi...
Jun 5th 2026
etwithin
•
pending
RCE via Unsafe Pickle Deserialization in Dataset Nodes with Path Traversal
May 27th 2026
jeremysommerfeld8910-cpu
•
pending
CSRF Protection Bypass on Non-Loopback Bindings Leads to Remote Code Execution i...
May 23rd 2026
brianmcwilliams
•
pending
Remote Code Execution via unsafe torch.load() in LoadTrainingDataset node
Feb 16th 2026
sebasfavaron
•
duplicate
Critical
Arbitrary Code Execution via Unsafe Pickle Deserialization in Checkpoint Loading
Feb 9th 2026
squadan
•
duplicate
High
Information Disclosure via sys.argv exposure in /system_stats endpoint leaks cre...
May 9th 2026
iiviel
•
duplicate
Medium
Path Traversal + Pickle Deserialization RCE via Dataset Nodes in comfy_extras/no...
Feb 8th 2026
iiviel
•
duplicate
Critical
Unsafe Deserialization + Path Traversal in LoadTrainingDataset Node Enables Unau...
Feb 8th 2026
jhacksman
•
duplicate
Critical
Command-Line Arguments Exposed via /system_stats Endpoint
Apr 19th 2026
mr-neutr0n
•
pending
Symlink-Based Arbitrary File Read via /view Endpoint
Apr 19th 2026
mr-neutr0n
•
pending
Regular Expression Denial of Service (ReDoS) in String Function Nodes
Apr 16th 2026
reaperoak
•
pending
Bypass of CVE-2024-10481: CSRF Protection Evaded via Null Origin (Sandboxed Ifra...
Apr 16th 2026
reaperoak
•
pending
Bypass of CVE-2024-10099: Stored XSS via SVG (Incomplete Mime Type Blocklist)
Apr 16th 2026
reaperoak
•
pending
Privilege Escalation via Configuration Injection in ComfyUI-Manager
Apr 8th 2026
d0n9
•
pending
SSRF via UNC Path injection leads to credential compromise
Dec 16th 2025
terminaljockey
•
pending
Path traversal leads to arbitrary file reads
Nov 5th 2025
faizann24
•
pending
Insecure Seed Generation Enables Prompt Reconstruction via Brute-Forcing a 32bit...
Oct 7th 2025
felixmaechtle
•
pending
Unauthenticated remote code execution vulnerability
May 11th 2025
boy-hack
•
pending
Deserializing unsafe data in comfyui leads to RCE
Feb 13th 2025
l1k3beef
•
duplicate
Critical
DNS Rebinding
Feb 21st 2025
sanktjodel
•
pending
SSRF via POST /internal/models/download and GET /view REST APIs
Jan 21st 2025
zpbrent
•
High
•
$450
High
•
$450
•
CVE-2024-12882
CVE-2024-12882
Cross-Site Request Forgery to XSS at workflow
Dec 19th 2024
srivallikusumba
•
duplicate
High
Cross-Site Request Forgery to XSS
Dec 18th 2024
srivallikusumba
•
duplicate
High
RCE via pickle deserialization (unpickling)
Oct 21st 2024
seqode
•
informative
High
Denial of service via CSRF
Dec 15th 2024
seqode
•
duplicate
Medium
Default CORS settings leads to sensitive data exfiltration
Oct 28th 2024
ethansilvas
•
informative
Medium
Unrestricted Upload of File with Dangerous Type
Oct 28th 2024
seqode
•
duplicate
Critical
CSRF allows for requests on behalf of authenticated users
Dec 14th 2024
ethansilvas
•
Medium
Medium
•
CVE-2024-10481
CVE-2024-10481
XSS through viewing HTML files with /view
Sep 14th 2024
ethansilvas
•
Medium
Medium
•
CVE-2024-10099
CVE-2024-10099
Race Condition Vulnerability: Concurrent File Overwrite Leading to Data Integrit...
Oct 21st 2024
morphykutay
•
informative
Medium
Delete any file on the system
Sep 13th 2024
hainguyen0207
•
self closed
Path Traversal in API `/userdata/{file}
Nov 26th 2024
duongli99
•
not applicable
closed
Sep 13th 2024
kienzx203
•
self closed
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
