Morgan
by Expressjs
npm: morgan
Source repositories
CVEs (2)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-5413 | Cri | 0.64 | 9.8 | 0.03 | Mar 21, 2019 | An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. | ||
| CVE-2026-5078 | Med | 0.34 | 5.3 | 0.00 | Jun 3, 2026 | Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header… |
- risk 0.64cvss 9.8epss 0.03
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
- risk 0.34cvss 5.3epss 0.00
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header…