CVE-2019-5413

CRITICAL

morgan <1.9.1 - Command Injection

Title source: llm

Description

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

Exploits (3)

nomisec TROJAN
by crstaicu · poc
https://github.com/crstaicu/CVE-2019-5413
nomisec STUB
by forse01 · poc
https://github.com/forse01/CVE-2019-5413-NetBeans-NoJson
nomisec STUB
by forse01 · poc
https://github.com/forse01/CVE-2019-5413-NetBeans

References (3)

Scores

CVSS v3 9.8
EPSS 0.0195
EPSS Percentile 83.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-94 CWE-77
Status published
Products (2)
morgan_project/morgan < 1.9.1
npm/morgan 0 - 1.9.1npm
Published Mar 21, 2019
Tracked Since Feb 18, 2026