Honestly, I don't think it's possible for this app to have security vulnerablilities. It runs 100% in the browser with zero interaction to the outside world expect via ComfyJS. Any issues with the main app should either be raised as an issue, or might be a problem with the browser or ComfyJS.
As for the python script, it's very basic and I could see it having flaws. If you find one, just raise an issue in the repo, this is only a hobby project and there's no telling if I'd ever check my email or anything for this.