CVE-2026-1337

Name
CVE-2026-1337
Description
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6 https://github.com/JoakimBulow/CVE-2026-1337

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:* neo4j >= None < 2026.01

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
neo4j edge-community 4.4.41-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
neo4j edge-community 4.4.35-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
neo4j 3.23-community 4.4.41-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable