漏洞概述 漏洞编号: Submit #791108 漏洞名称: comfyanonymous ComfyUI 0' evaluates False for 'Origin: null', completely bypassing the CSRF protection. Combined with the /userdata/ endpoint serving .html files as text/html (app/user_manager.py lines 333-339), an attacker can chain: CSRF upload of evil.html -- victim visits the URL -- XSS executes in ComfyUI config. Reproduction 1. Attacker hosts a malicious page that creates a sandboxed iframe targeting the victim's local ComfyUI (127.0.0.1:8188). 2. The iframe sends a POST to /userdata/evil.html with an XSS payload -- browser sends Origin: null, CSRF check is bypassed. 3. Attacker tricks the victim into opening the uploaded URL: http://127.0.0.1:8188/userdata/evil.html 4. JavaScript executes in ComfyUI's Origin context with full API access.