VYPR

Morgan

by Expressjs

npm: morgan

Source repositories

CVEs (2)

  • CVE-2019-5413CriMar 21, 2019
    risk 0.64cvss 9.8epss 0.03

    An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

  • CVE-2026-5078MedJun 3, 2026
    risk 0.34cvss 5.3epss 0.00

    Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header…