<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sat, 11 Jul 2026 22:29:55 +0000</lastBuildDate>
    <item>
      <title>d7e9ed05-0334-4e7e-a66a-ca5adb5b64e1</title>
      <link>https://vulnerability.circl.lu/sighting/d7e9ed05-0334-4e7e-a66a-ca5adb5b64e1/export</link>
      <description>{"uuid": "d7e9ed05-0334-4e7e-a66a-ca5adb5b64e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://gist.github.com/alon710/6a1f370c6283107f299350100ca84db2", "content": "# CVE-2026-5078: CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware\n\n&amp;gt; **CVSS Score:** 5.3\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-5078\n\n## Summary\nCVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.\n\n## TL;DR\nUnauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-117 (Improper Output Neutralization for Logs)\n- **Attack Vector**: Network (Remote, Unauthenticated)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **EPSS Score**: 0.00246\n- **Exploit Status**: Proof-of-Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications using Morgan middleware versions 1.2.0 through 1.10.1 configured with log formats that include the :remote-user token.\n- **morgan**: &amp;gt;= 1.2.0, &amp;lt;= 1.10.1 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade the Morgan middleware to version 1.11.0 or later to ensure automatic escaping of control characters.\n- Modify custom Morgan logging configurations to exclude the :remote-user token if immediate patching is not possible.\n- Deploy Web Application Firewall (WAF) rules to inspect and decode the Authorization: Basic header, blocking requests containing raw CRLF characters.\n\n**Remediation Steps:**\n1. Identify all Node.js projects utilizing the morgan npm package.\n2. Verify the installed version of morgan using 'npm list morgan' or checking package-lock.json.\n3. Update the dependency to version 1.11.0 or higher by running 'npm install morgan@1.11.0' or 'npm update morgan'.\n4. If unable to update, replace pre-built 'combined' or 'common' log formats with custom strings excluding the ':remote-user' token.\n5. Deploy and test log-monitoring queries to detect escaped sequence signatures 'u0000', 'u001f', or '\\r\\n' in system logs.\n\n## References\n\n- [GitHub Security Advisory GHSA-4vj7-5mj6-jm8m](https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n- [NVD Vulnerability Details: CVE-2026-5078](https://nvd.nist.gov/vuln/detail/CVE-2026-5078)\n- [CVE Org Record: CVE-2026-5078](https://www.cve.org/CVERecord?id=CVE-2026-5078)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-5078) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T15:11:59.694478Z"}</description>
      <content:encoded>{"uuid": "d7e9ed05-0334-4e7e-a66a-ca5adb5b64e1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://gist.github.com/alon710/6a1f370c6283107f299350100ca84db2", "content": "# CVE-2026-5078: CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware\n\n&amp;gt; **CVSS Score:** 5.3\n&amp;gt; **Published:** 2026-07-10\n&amp;gt; **Full Report:** https://cvereports.com/reports/CVE-2026-5078\n\n## Summary\nCVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.\n\n## TL;DR\nUnauthenticated remote log injection in Morgan middleware (versions 1.2.0-1.10.1) due to improper sanitization of basic authentication credentials. Upgrading to version 1.11.0 remediates the vulnerability.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-117 (Improper Output Neutralization for Logs)\n- **Attack Vector**: Network (Remote, Unauthenticated)\n- **CVSS v3.1 Score**: 5.3 (Medium)\n- **EPSS Score**: 0.00246\n- **Exploit Status**: Proof-of-Concept\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications using Morgan middleware versions 1.2.0 through 1.10.1 configured with log formats that include the :remote-user token.\n- **morgan**: &amp;gt;= 1.2.0, &amp;lt;= 1.10.1 (Fixed in: `1.11.0`)\n\n## Mitigation\n\n- Upgrade the Morgan middleware to version 1.11.0 or later to ensure automatic escaping of control characters.\n- Modify custom Morgan logging configurations to exclude the :remote-user token if immediate patching is not possible.\n- Deploy Web Application Firewall (WAF) rules to inspect and decode the Authorization: Basic header, blocking requests containing raw CRLF characters.\n\n**Remediation Steps:**\n1. Identify all Node.js projects utilizing the morgan npm package.\n2. Verify the installed version of morgan using 'npm list morgan' or checking package-lock.json.\n3. Update the dependency to version 1.11.0 or higher by running 'npm install morgan@1.11.0' or 'npm update morgan'.\n4. If unable to update, replace pre-built 'combined' or 'common' log formats with custom strings excluding the ':remote-user' token.\n5. Deploy and test log-monitoring queries to detect escaped sequence signatures 'u0000', 'u001f', or '\\r\\n' in system logs.\n\n## References\n\n- [GitHub Security Advisory GHSA-4vj7-5mj6-jm8m](https://github.com/expressjs/morgan/security/advisories/GHSA-4vj7-5mj6-jm8m)\n- [OpenJS Foundation Security Advisories](https://cna.openjsf.org/security-advisories.html)\n- [NVD Vulnerability Details: CVE-2026-5078](https://nvd.nist.gov/vuln/detail/CVE-2026-5078)\n- [CVE Org Record: CVE-2026-5078](https://www.cve.org/CVERecord?id=CVE-2026-5078)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-5078) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T15:11:59.694478Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/d7e9ed05-0334-4e7e-a66a-ca5adb5b64e1/export</guid>
      <pubDate>Fri, 10 Jul 2026 15:11:59 +0000</pubDate>
    </item>
    <item>
      <title>d5310e51-5ff5-48b2-92f6-9691d4e69128</title>
      <link>https://vulnerability.circl.lu/sighting/d5310e51-5ff5-48b2-92f6-9691d4e69128/export</link>
      <description>{"uuid": "d5310e51-5ff5-48b2-92f6-9691d4e69128", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnew7lag7b2u", "content": "CVE-2026-5078 - morgan vulnerable to Log Forging via unneutralized control characters in :remote-user\nCVE ID : CVE-2026-5078\n \n Published : June 3, 2026, 8:16 a.m. | 16\u00a0minutes ago\n \n Description : Impact: The morgan logging middleware's :remote-user token extracts the Basic a...", "creation_timestamp": "2026-06-03T10:39:34.155752Z"}</description>
      <content:encoded>{"uuid": "d5310e51-5ff5-48b2-92f6-9691d4e69128", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mnew7lag7b2u", "content": "CVE-2026-5078 - morgan vulnerable to Log Forging via unneutralized control characters in :remote-user\nCVE ID : CVE-2026-5078\n \n Published : June 3, 2026, 8:16 a.m. | 16\u00a0minutes ago\n \n Description : Impact: The morgan logging middleware's :remote-user token extracts the Basic a...", "creation_timestamp": "2026-06-03T10:39:34.155752Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/d5310e51-5ff5-48b2-92f6-9691d4e69128/export</guid>
      <pubDate>Wed, 03 Jun 2026 10:39:34 +0000</pubDate>
    </item>
    <item>
      <title>d6707699-0a17-4088-aa59-b6939c145b48</title>
      <link>https://vulnerability.circl.lu/sighting/d6707699-0a17-4088-aa59-b6939c145b48/export</link>
      <description>{"uuid": "d6707699-0a17-4088-aa59-b6939c145b48", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3mndedxkb3s2m", "content": "\ud83d\udea8 Moderate-severity security fix in morgan@1.11.0 just released!\n\nPatches CVE-2026-5078 \u2014 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user\n\ngithub.com/expressjs/mo...", "creation_timestamp": "2026-06-02T19:47:16.884209Z"}</description>
      <content:encoded>{"uuid": "d6707699-0a17-4088-aa59-b6939c145b48", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-5078", "type": "seen", "source": "https://bsky.app/profile/ulisesgascon.com/post/3mndedxkb3s2m", "content": "\ud83d\udea8 Moderate-severity security fix in morgan@1.11.0 just released!\n\nPatches CVE-2026-5078 \u2014 morgan vulnerable to Log Forging via unneutralized control characters in :remote-user\n\ngithub.com/expressjs/mo...", "creation_timestamp": "2026-06-02T19:47:16.884209Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/d6707699-0a17-4088-aa59-b6939c145b48/export</guid>
      <pubDate>Tue, 02 Jun 2026 19:47:16 +0000</pubDate>
    </item>
  </channel>
</rss>
