Every CVE whose affected-product data names Morgan Project Morgan, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (2)
CVE-2019-5413 — CVSS 9.8 (critical): An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.
CVE-2026-5078 — CVSS 5.3 (medium): Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and…