CVE-2019-5413

CRITICAL

morgan < 1.9.1 - Remote Code Execution via Format Parameter Injection

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-5413. PoCs published by crstaicu, forse01.

AI-analyzed exploit summary The repository claims to be a PoC for CVE-2019-5413 but contains no actual exploit code, only a README stating 'Fake repo'. This is a clear deception.

Description

An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.

Exploits (3)

nomisec TROJAN

by crstaicu · poc

https://github.com/crstaicu/CVE-2019-5413

View Code ZIP pw:eip

The repository claims to be a PoC for CVE-2019-5413 but contains no actual exploit code, only a README stating 'Fake repo'. This is a clear deception.

Classification

Trojan 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: none

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by forse01 · poc

https://github.com/forse01/CVE-2019-5413-NetBeans-NoJson

View Code ZIP pw:eip

The repository appears to be a stub or placeholder for CVE-2019-5413, containing only a README with minimal content and a 'log' directory with Node.js module dependencies. No actual exploit code or proof-of-concept is present.

Classification

Stub 90%

Attack Type

Other

Complexity

N/a

Reliability

Theoretical

Target: NetBeans

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec STUB

by forse01 · poc

https://github.com/forse01/CVE-2019-5413-NetBeans

View Code ZIP pw:eip

The repository appears to be a stub or placeholder for CVE-2019-5413, containing only a README with minimal content and a 'log' directory with Node.js module dependencies unrelated to the vulnerability. No exploit code or technical details are present.

Classification

Stub 10%

Attack Type

Other

Complexity

N/a

Reliability

Theoretical

Target: NetBeans

No auth needed

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/390881

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.0195

EPSS Percentile 83.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94 CWE-77

Status published

Products (2)

morgan_project/morgan < 1.9.1

npm/morgan 0 - 1.9.1npm

Published Mar 21, 2019

Tracked Since Feb 18, 2026