CVE-2026-5078 — Impact: The morgan logging middleware's :remote-user token extracts the Basic auth username from the Authorization request header and writes it to the log stream without neutralizing control character — CVE Database · The Intelligence Room