Home > Vulnerability Database > CVE-2026-22777

Mend.io Vulnerability Database

CVE-2026-22777

Good to know:

Date: January 10, 2026

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5.

Severity Score

7.5

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22777

Url: https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2

Url: https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410

Url: https://github.com/Comfy-Org/ComfyUI-Manager/commit/ef8703a3d7ab4e6ecda8f96e0c5816c23d1cb262

Url: https://github.com/Comfy-Org/ComfyUI-Manager

Url: https://www.mend.io/vulnerability-database/CVE-2026-22777

Severity Score

7.5

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-93

Top Fix

Upgrade Version

Upgrade to version comfyui-manager - 4.0.5;https://github.com/Comfy-Org/ComfyUI-Manager.git - 3.39.2;https://github.com/Comfy-Org/ComfyUI-Manager.git - 4.0.5

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22777

Good to know:

Date: January 10, 2026

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?