This page aggregates publicly disclosed CVE and security risk information related to morgan_project, with CVSS, EPSS, publication dates, and vulnerability intelligence data to help assess potential risk and remediation priority.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-5078 | Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short f | ce714d77-add3-4f53-aff5-83d477b104bb | 5.3 | 0.24% | 2026-06-03 | 2026-06-04 |
| CVE-2019-5413 | An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. | [email protected] | 9.8 | 3.40% | 2019-03-21 | 2024-11-21 |