CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/06/03 8:24 a.m.•6 views

Improper Output Neutralization for Logs

Overview morgan is a HTTP request logger middleware for node.js. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the :remote-user token, which extracts the Basic auth username from the Authorization header and writes it to the log stream without...

6.9CVSS5.5AI score0.00246EPSS

NVD•added 2026/06/03 8:16 a.m.•9 views

CVE-2026-5078

Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...

5.3CVSS0.00246EPSS

OSV•added 2026/06/03 8:16 a.m.•9 views

UBUNTU-CVE-2026-5078

Vulnrichment•added 2026/06/03 5:56 a.m.•9 views

Exploits0References4

CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

CVE•added 2026/06/03 5:56 a.m.•23 views

CVE-2026-5078

CVE-2026-5078 affects the morgan logging middleware; versions 1.2.0 through 1.10.1 write the Basic auth username from the Authorization header into logs without neutralizing CR/LF control characters, enabling log forgery. Affected formats include built-in combined, common, default, short, and any...

Exploits0References2Affected Software1

ATTACKERKB•added 2026/06/03 5:56 a.m.•5 views

CVE-2026-5078

Exploits0References3Affected Software1

EUVD•added 2026/06/03 5:56 a.m.•15 views

EUVD-2026-34067

Cvelist•added 2026/06/03 5:56 a.m.•42 views

CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user

5.3CVSS0.00246EPSS

CNNVD•added 2026/06/03 12:0 a.m.•6 views

morgan 安全漏洞

Morgan is an open-source HTTP request logging middleware developed by ExpressJS. Versions 1.2.0 to 1.10.1 of Morgan contain security vulnerabilities. These vulnerabilities stem from the remoteuser token not being escaped with control characters, which may lead to log manipulation...

5.3CVSS5.3AI score0.00246EPSS

Positive Technologies•added 2026/06/02 12:0 a.m.•14 views

PT-2026-45901

Name of the Vulnerable Software and Affected Versions morgan versions 1.2.0 through 1.10.1 Description The logging middleware fails to neutralize control characters when the :remote-user token extracts the Basic auth username from the Authorization request header. An unauthenticated attacker can...

EUVD•added 2025/11/13 3:23 a.m.•2 views

Exploits0References3

EUVD-2025-176628

Malicious code in rimraf-playwright-morgan-norma npm...

EUVD•added 2025/11/13 3:23 a.m.•3 views

EUVD-2025-175467

Malicious code in xo-morgan-css-loader-prompts npm...

OSSF Malicious Packages•added 2025/11/13 3:23 a.m.•5 views

Malicious code in xo-morgan-css-loader-prompts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df18935c38976d8952bf589369f1a0e87fbdb16e09e484594e5e302fd8d55ee6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score

EUVD•added 2025/11/13 3:23 a.m.•3 views

EUVD-2025-177758

Malicious code in morgan-magellan-public-envconfig npm...

EUVD•added 2025/11/13 3:23 a.m.•4 views

EUVD-2025-177757

Malicious code in morgan-meteor-loop-delphinus npm...