Lucene search
+L

276 matches found

redhat
redhat
added 6 days ago3 views

morgan: morgan: Log forgery due to unneutralized control characters

A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking...

5.3CVSS6.1AI score0.00246EPSS
Exploits0References6
euvd
euvd
added 6 days ago20 views

EUVD-2026-34067

morgan vulnerable to Log Forging via unneutralized control characters in :remote-user...

5.3CVSS6.1AI score0.00246EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/06/10 9:27 p.m.13 views

CVE-2026-5078

A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References5
nessus
nessus
added 2026/06/04 12:0 a.m.11 views

Linux Distros Unpatched Vulnerability : CVE-2026-5078

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log strea...

5.3CVSS6AI score0.00246EPSS
Exploits0References3
snyk
snyk
added 2026/06/03 8:24 a.m.9 views

Improper Output Neutralization for Logs

Overview morgan is a HTTP request logger middleware for node.js. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the :remote-user token, which extracts the Basic auth username from the Authorization header and writes it to the log stream without...

6.9CVSS5.5AI score0.00246EPSS
Exploits0References2
nvd
nvd
added 2026/06/03 8:16 a.m.12 views

CVE-2026-5078

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS0.00246EPSS
Exploits0References2
osv
osv
added 2026/06/03 8:16 a.m.12 views

UBUNTU-CVE-2026-5078

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2026/06/03 5:56 a.m.13 views

CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References2
cve
cve
added 2026/06/03 5:56 a.m.35 views

CVE-2026-5078

CVE-2026-5078 affects the morgan logging middleware; versions 1.2.0 through 1.10.1 write the Basic auth username from the Authorization header into logs without neutralizing CR/LF control characters, enabling log forgery. Affected formats include built-in combined, common, default, short, and any...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References2Affected Software1
attackerkb
attackerkb
added 2026/06/03 5:56 a.m.6 views

CVE-2026-5078

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/06/03 5:56 a.m.48 views

CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS0.00246EPSS
Exploits0References2
osv
osv
added 2026/06/03 5:56 a.m.3 views

CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS6.1AI score0.00246EPSS
Exploits0References4
cnnvd
cnnvd
added 2026/06/03 12:0 a.m.11 views

morgan 安全漏洞

Morgan is an open-source HTTP request logging middleware developed by ExpressJS. Versions 1.2.0 to 1.10.1 of Morgan contain security vulnerabilities. These vulnerabilities stem from the remoteuser token not being escaped with control characters, which may lead to log manipulation...

5.3CVSS5.3AI score0.00246EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/02 12:0 a.m.22 views

PT-2026-45901

Name of the Vulnerable Software and Affected Versions morgan versions 1.2.0 through 1.10.1 Description The logging middleware fails to neutralize control characters when the :remote-user token extracts the Basic auth username from the Authorization request header. An unauthenticated attacker can...

5.3CVSS5.8AI score0.00246EPSS
Exploits0References12
ossf
ossf
added 2025/11/13 3:23 a.m.6 views

Malicious code in xo-morgan-css-loader-prompts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df18935c38976d8952bf589369f1a0e87fbdb16e09e484594e5e302fd8d55ee6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
euvd
euvd
added 2025/11/13 3:23 a.m.5 views

EUVD-2025-177757

Malicious code in morgan-meteor-loop-delphinus npm...

6.6AI score
Exploits0
euvd
euvd
added 2025/11/13 3:23 a.m.4 views

EUVD-2025-176628

Malicious code in rimraf-playwright-morgan-norma npm...

6.6AI score
Exploits0
osv
osv
added 2025/11/13 3:23 a.m.5 views

MAL-2025-185831 Malicious code in biosignature-nestjs-publish-morgan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d5da20f5f3da9d3423c88e9820644cae1a1723c0ef22e66931bde9716ccd67f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
euvd
euvd
added 2025/11/13 3:23 a.m.3 views

EUVD-2025-178457

Malicious code in ignite-configstore-morgan-kastra npm...

6.6AI score
Exploits0
osv
osv
added 2025/11/13 3:23 a.m.4 views

MAL-2025-188973 Malicious code in pulsar-orogeny-heliophysics-morgan (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 333e8662dad6f87568ddf49c98f9b0c3a7a9631721d35321a5287cb062713e76 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
Rows per page
Query Builder