Morgan
by Expressjs
Source repositories
CVEs (2)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5078 | Med | 0.34 | 5.3 | — | Jun 3, 2026 | Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header… | ||
| CVE-2019-5413 | 0.00 | — | 0.02 | Mar 17, 2019 | An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. |
- risk 0.34cvss 5.3epss —
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header…
- CVE-2019-5413Mar 17, 2019risk 0.00cvss —epss 0.02
An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.