ComfyUI/app
Matt Miller ae4fcaaf41 security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass

Adds regression tests under tests-unit/security_test/ covering all five.
2026-07-02 19:10:30 -07:00
..
assets security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
database feat(assets): align local API with cloud spec (#12863) 2026-03-16 12:34:04 -07:00
__init__.py Add FrontendManager to manage non-default front-end impl (#3897) 2024-07-16 11:26:11 -04:00
app_settings.py Update frontend to v1.25.10 and revert navigation mode override (#9522) 2025-08-23 17:54:01 -04:00
custom_node_manager.py Remove useless annotations imports. (#14105) 2026-05-25 19:23:29 -07:00
frontend_management.py Remove useless annotations imports. (#14105) 2026-05-25 19:23:29 -07:00
logger.py Add colored logs (#14036) 2026-05-25 10:00:55 +08:00
model_manager.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00
node_replace_manager.py fix: make NodeReplaceManager.register() idempotent (#13596) 2026-05-07 19:21:12 -07:00
subgraph_manager.py fix: specify UTF-8 encoding when reading subgraph files (#12563) 2026-02-21 15:05:00 -08:00
user_manager.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00