morgan_project 相關的公開 CVE 漏洞與安全風險資訊,提供 CVSS、EPSS、公開時間與漏洞情報資料,協助評估潛在風險與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-5078 | Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF bytes to inject forged log lines, breaking the one-request-per-line structure of access logs and enabling log forgery against downstream log consumers. The built-in combined, common, default, and short f | ce714d77-add3-4f53-aff5-83d477b104bb | 5.3 | 0.24% | 2026-06-03 | 2026-06-17 |
| CVE-2019-5413 | An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. | [email protected] | 9.8 | 3.40% | 2019-03-21 | 2026-06-16 |