Cyber Posture

CVE-2026-22777

High

Published: 10 January 2026

Published
10 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0001 3.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22777 is a high-severity CRLF Injection (CWE-93) vulnerability in Comfy Comfyui-Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1562.001 Disable or Modify Tools Stealth
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
attack.mitre.org →
Why these techniques?

Remote HTTP parameter injection into public-facing ComfyUI-Manager directly enables T1190 exploitation; resulting arbitrary config.ini modification tampers with security settings, mapping to T1562.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to…

more

security setting tampering or modification of application behavior. This issue has been patched in versions 3.39.2 and 4.0.5.

Deeper analysisAI

CVE-2026-22777 is a vulnerability in ComfyUI-Manager, an extension designed to enhance the usability of ComfyUI, affecting versions prior to 3.39.2 and 4.0.5. It enables an attacker to inject special characters into HTTP query parameters, allowing the addition of arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. The issue, published on 2026-01-10, is associated with CWE-93 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), emphasizing high integrity impact.

The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction. Successful exploitation allows modification of the config.ini file, enabling tampering with security settings or altering application behavior to the attacker's advantage, without impacting confidentiality or availability.

Mitigation is available through patching: upgrade to ComfyUI-Manager versions 3.39.2 or 4.0.5. Detailed advisory information and the patching commit are provided in the GitHub security advisory (https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2) and commit (https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410).

Details

CWE(s)
CWE-93

Affected Products

comfy
comfyui-manager
≤ 3.39.2 · 4.0.3 — 4.0.5

CVEs Like This One

CVE-2025-67303Same product: Comfy Comfyui-Manager
CVE-2026-41230Shared CWE-93
CVE-2026-39394Shared CWE-93
CVE-2025-28357Shared CWE-93
CVE-2026-5140Shared CWE-93
CVE-2026-21428Shared CWE-93
CVE-2026-39983Shared CWE-93
CVE-2026-1714Shared CWE-93
CVE-2026-6351Shared CWE-93
CVE-2026-33128Shared CWE-93

References