{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6591", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T09:44:01.638Z", "datePublished": "2026-04-20T01:00:18.496Z", "dateUpdated": "2026-04-20T16:29:10.370Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T01:00:18.496Z"}, "title": "ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "Path Traversal"}]}], "affected": [{"vendor": "n/a", "product": "ComfyUI", "versions": [{"version": "0.1", "status": "affected"}, {"version": "0.2", "status": "affected"}, {"version": "0.3", "status": "affected"}, {"version": "0.4", "status": "affected"}, {"version": "0.5", "status": "affected"}, {"version": "0.6", "status": "affected"}, {"version": "0.7", "status": "affected"}, {"version": "0.8", "status": "affected"}, {"version": "0.9", "status": "affected"}, {"version": "0.10", "status": "affected"}, {"version": "0.11", "status": "affected"}, {"version": "0.12", "status": "affected"}, {"version": "0.13.0", "status": "affected"}], "modules": ["LoadImage Node"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T11:49:31.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-c (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358226", "name": "VDB-358226 | ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358226/cti", "name": "VDB-358226 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791112", "name": "Submit #791112 | comfyanonymous ComfyUI <= 0.13.0 (commit 6648ab68) Path Traversal (CWE-22)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T16:28:57.861312Z", "id": "CVE-2026-6591", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:29:10.370Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6591", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T16:28:57.861312Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T16:29:05.508Z"}}], "cna": {"title": "ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-c (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "n/a", "modules": ["LoadImage Node"], "product": "ComfyUI", "versions": [{"status": "affected", "version": "0.1"}, {"status": "affected", "version": "0.2"}, {"status": "affected", "version": "0.3"}, {"status": "affected", "version": "0.4"}, {"status": "affected", "version": "0.5"}, {"status": "affected", "version": "0.6"}, {"status": "affected", "version": "0.7"}, {"status": "affected", "version": "0.8"}, {"status": "affected", "version": "0.9"}, {"status": "affected", "version": "0.10"}, {"status": "affected", "version": "0.11"}, {"status": "affected", "version": "0.12"}, {"status": "affected", "version": "0.13.0"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T11:49:31.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358226", "name": "VDB-358226 | ComfyUI LoadImage Node folder_paths.py folder_paths.get_annotated_filepath path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358226/cti", "name": "VDB-358226 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791112", "name": "Submit #791112 | comfyanonymous ComfyUI <= 0.13.0 (commit 6648ab68) Path Traversal (CWE-22)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T01:00:18.496Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6591", "state": "PUBLISHED", "dateUpdated": "2026-04-20T16:29:10.370Z", "dateReserved": "2026-04-19T09:44:01.638Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T01:00:18.496Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in ComfyUI up to 0.13.0. Affected is the function folder_paths.get_annotated_filepath of the file folder_paths.py of the component LoadImage Node. This manipulation of the argument Name causes path traversal. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6591", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T01:16:31.870", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/1e6db39703626dc5c1a2505426754333"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791112"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358226"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358226/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.13.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 93.0, "source": "matching"}]}, "original": {"product": "ComfyUI", "source": "cna", "vendor": "n/a"}, "product": "comfyui", "vendor": "comfy"}], "analysis": {"en": {"generated_at": "2026-04-20T02:50:23.296356+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2019s published patch or upgrade to a version newer than 0.13.0. If no official update is available, request a fix from the maintainers of the project.", "Limit the API entry point that allows the LoadImage Node to be accessed to trusted users only, and apply network segmentation so that only intended hosts can reach the ComfyUI instance.", "Configure file system controls so that the user running ComfyUI cannot read system files outside the intended content directories, thereby limiting exposure even if path traversal is attempted.", "Audit access logs for suspicious request patterns that include non\u2011standard characters such as \"..\", \"../\", or other path traversal indicators, and investigate any anomalies promptly."], "summary": {"action": "Patch Immediately", "impact": "Path traversal allowing unauthorized file access"}, "threat_synthesis": {"affected_systems": "All installations of ComfyUI 0.13.0 and earlier are affected. This includes the default build of the LoadImage Node that uses the folder_paths.py component. No specific micro\u2011versions beyond 0.13.0 are listed as affected, so any version prior to or equal to 0.13.0 should be considered at risk.", "description_and_impact": "The vulnerability appears in the LoadImage Node of ComfyUI when the function folder_paths.get_annotated_filepath receives a manipulated Name argument. The manipulation enables path traversal, allowing a remote attacker to access files outside the intended directory. Because the exploit is publicly available and remote exploitation is possible, the attacker can read arbitrary files on the system, potentially exposing confidential data or credentials. The weakness is identified as CWE\u201122, which denotes path traversal flaws that lead to confidentiality compromise.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is currently unavailable, but the presence of a public exploit and the known remote attack vector raise concern for active exploitation in the field. The vulnerability is not listed in the CISA KEV catalog yet; however, the attacker can achieve significant impact by reading arbitrary files, which could lead to further compromise if sensitive data is accessed. The attack can be executed remotely by invoking the LoadImage Node with a crafted Name parameter over the network interface that the ComfyUI instance exposes."}}}}, "created": "2026-04-20T03:00:09.523605+00:00", "updated": "2026-04-20T14:45:08.997114+00:00", "vendors": ["comfy", "comfy$PRODUCT$comfyui"]}