VYPR

Comfyui Manager

by Comfy Org

Source repositories

CVEs (3)

  • CVE-2024-21574CriDec 12, 2024
    risk 0.59cvss 10.0epss 0.01

    The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user…

  • CVE-2026-22777Jan 10, 2026
    risk 0.00cvss epss 0.00

    ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI. Prior to versions 3.39.2 and 4.0.5, an attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting…

  • CVE-2025-67303Jan 5, 2026
    risk 0.00cvss epss 0.01

    An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface