ComfyUI/utils
Matt Miller ae4fcaaf41 security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4)
- CVE-2026-56670: force download of SVG/XML responses on /view to prevent stored XSS
- CVE-2026-56671: contain /experiment/models/preview reads within the model folder
- CVE-2026-56672: stop inline rendering of uploaded /userdata/{file} content
- CVE-2026-56673: prevent path traversal in get_annotated_filepath (LoadImage /prompt input)
- CVE-2026-56674: reject opaque/null Origin to close the CSRF middleware bypass

Adds regression tests under tests-unit/security_test/ covering all five.
2026-07-02 19:10:30 -07:00
..
__init__.py Expand user directory for basepath in extra_models_paths.yaml (#4857) 2024-09-10 00:33:44 -04:00
extra_config.py Normalize extra_model_config.yaml paths to prevent duplicates. (#6885) 2025-02-20 07:09:45 -05:00
install_util.py Update logging level for invalid version format (#13526) 2026-04-22 20:21:43 -04:00
json_util.py [i18n] Add /i18n endpoint to provide all custom node translations (#6558) 2025-01-22 17:15:45 -05:00
mime_types.py fix: register image/svg+xml MIME type for .svg files (#13186) 2026-03-26 22:13:29 -07:00
origin_check.py security: fix five vulnerabilities (GHSA-779p-m5rp-r4h4) 2026-07-02 19:10:30 -07:00