{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22777", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-09T18:27:19.388Z", "datePublished": "2026-01-10T06:43:21.579Z", "dateUpdated": "2026-01-12T13:22:32.833Z"}, "containers": {"cna": {"title": "ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler", "problemTypes": [{"descriptions": [{"cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2"}, {"name": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410", "tags": ["x_refsource_MISC"], "url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410"}], "affected": [{"vendor": "Comfy-Org", "product": "ComfyUI-Manager", "versions": [{"version": ">= 4.0.0, < 4.0.5", "status": "affected"}, {"version": "< 3.39.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T06:43:21.579Z"}, "descriptions": [{"lang": "en", "value": "ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5."}], "source": {"advisory": "GHSA-562r-8445-54r2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-12T13:22:21.429246Z", "id": "CVE-2026-22777", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:22:32.833Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-12T13:22:21.429246Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-12T13:22:28.144Z"}}], "cna": {"title": "ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler", "source": {"advisory": "GHSA-562r-8445-54r2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Comfy-Org", "product": "ComfyUI-Manager", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.0.5"}, {"status": "affected", "version": "< 3.39.2"}]}], "references": [{"url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2", "name": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410", "name": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T06:43:21.579Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22777", "state": "PUBLISHED", "dateUpdated": "2026-01-12T13:22:32.833Z", "dateReserved": "2026-01-09T18:27:19.388Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T06:43:21.579Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:comfy:comfyui-manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "A013F11E-DEAA-4DA0-97EE-667AEDE64317", "versionEndExcluding": "3.39.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:comfy:comfyui-manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "739DC981-BB57-45A4-A8CB-1CF26CA53EB2", "versionEndExcluding": "4.0.5", "versionStartIncluding": "4.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5."}], "id": "CVE-2026-22777", "lastModified": "2026-02-05T21:02:05.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T07:16:03.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:30:19.053208+00:00", "value": {"mitigation_remediation": ["Upgrade ComfyUI\u2011Manager to version\u00a03.39.2 or later, or\u00a04.0.5 or later, as the issue is fixed in these releases.", "Restrict access to the configuration endpoint through network controls or authentication mechanisms.", "Validate and sanitize all HTTP query parameters before processing them."], "summary": {"action": "Apply Patch", "impact": "Configuration tampering"}, "threat_synthesis": {"affected_systems": "Vendors affected include Comfy\u2011Org\u2019s ComfyUI\u2011Manager extension. Versions prior to 3.39.2 for the 3.x line and prior to 4.0.5 for the 4.x line are vulnerable.", "description_and_impact": "An injection flaw in the configuration handler of the ComfyUI\u2011Manager extension allows an attacker who can manipulate HTTP query parameters to embed malformed or malicious characters. When the handler processes these parameters it writes the values directly to the config.ini file, enabling arbitrary configuration entries to be added or existing ones overridden. The result is tampering with security settings or altering application behavior, potentially compromising confidentiality, integrity, or availability of the system that relies on those configurations.", "risk_and_exploitability": "The flaw is evaluated with a CVSS score of 7.5, indicating a high severity. Exploitation probability, measured by EPSS, is reported as less than 1%, suggesting that active attacks are rare but not impossible. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need network access to send crafted HTTP requests to the manager\u2019s configuration endpoint, making the vector network-based. If successful, they could modify system behaviour or subvert security controls without needing privileged local access."}}}}, "created": "2026-01-12T14:36:22.172492+00:00", "updated": "2026-04-18T16:45:05.213818+00:00", "vendors": ["comfy", "comfy$PRODUCT$comfyui"]}