276 matches found
morgan: morgan: Log forgery due to unneutralized control characters
A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking...
EUVD-2026-34067
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user...
CVE-2026-5078
A flaw was found in the morgan HTTP request logging middleware. The :remote-user token writes the Basic auth username to access logs without neutralizing CR/LF control characters. An unauthenticated remote attacker can inject forged log lines via a crafted Authorization header, breaking...
Linux Distros Unpatched Vulnerability : CVE-2026-5078
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log strea...
Improper Output Neutralization for Logs
Overview morgan is a HTTP request logger middleware for node.js. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs via the :remote-user token, which extracts the Basic auth username from the Authorization header and writes it to the log stream without...
CVE-2026-5078
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
UBUNTU-CVE-2026-5078
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
CVE-2026-5078
CVE-2026-5078 affects the morgan logging middleware; versions 1.2.0 through 1.10.1 write the Basic auth username from the Authorization header into logs without neutralizing CR/LF control characters, enabling log forgery. Affected formats include built-in combined, common, default, short, and any...
CVE-2026-5078
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
CVE-2026-5078 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control characters. An unauthenticated attacker can send a crafted Authorization Basic header containing CR or LF...
morgan 安全漏洞
Morgan is an open-source HTTP request logging middleware developed by ExpressJS. Versions 1.2.0 to 1.10.1 of Morgan contain security vulnerabilities. These vulnerabilities stem from the remoteuser token not being escaped with control characters, which may lead to log manipulation...
PT-2026-45901
Name of the Vulnerable Software and Affected Versions morgan versions 1.2.0 through 1.10.1 Description The logging middleware fails to neutralize control characters when the :remote-user token extracts the Basic auth username from the Authorization request header. An unauthenticated attacker can...
Malicious code in xo-morgan-css-loader-prompts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df18935c38976d8952bf589369f1a0e87fbdb16e09e484594e5e302fd8d55ee6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-177757
Malicious code in morgan-meteor-loop-delphinus npm...
EUVD-2025-176628
Malicious code in rimraf-playwright-morgan-norma npm...
MAL-2025-185831 Malicious code in biosignature-nestjs-publish-morgan (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d5da20f5f3da9d3423c88e9820644cae1a1723c0ef22e66931bde9716ccd67f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-178457
Malicious code in ignite-configstore-morgan-kastra npm...
MAL-2025-188973 Malicious code in pulsar-orogeny-heliophysics-morgan (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 333e8662dad6f87568ddf49c98f9b0c3a7a9631721d35321a5287cb062713e76 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...