CVE-2026-1337

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/JoakimBulow/CVE-2026-1337	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:neo4j:neo4j:::::community:::*
	cpe:2.3:a:neo4j:neo4j:::::enterprise:::*

History

17 Jun 2026, 10:15

Type	Values Removed	Values Added
Summary		(es) El escape insuficiente de caracteres Unicode en el registro de consultas en las ediciones Neo4j Enterprise y Community anteriores a 2026.01 puede conducir a XSS si el usuario abre los registros en una herramienta que los trate como HTML. No hay impacto de seguridad en los productos Neo4j, pero este aviso se publica como precaución para tratar los registros como texto plano si se utilizan versiones anteriores a 2026.01. Prueba de concepto de exploit: https://github.com/JoakimBulow/CVE-2026-1337

24 Feb 2026, 21:21

Type	Values Removed	Values Added
First Time		Neo4j neo4j Neo4j
CPE		cpe:2.3:a:neo4j:neo4j:::::enterprise:::* cpe:2.3:a:neo4j:neo4j:::::community:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/JoakimBulow/CVE-2026-1337 -~~	() https://github.com/JoakimBulow/CVE-2026-1337 - Exploit, Third Party Advisory

06 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-06 14:16

Updated : 2026-06-17 10:15

NVD link : CVE-2026-1337

Mitre link : CVE-2026-1337

CVE.ORG link : CVE-2026-1337

JSON object : View

Products Affected

neo4j

neo4j

CWE

CWE-117

Improper Output Neutralization for Logs

{"id": "CVE-2026-1337", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-1337", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T14:29:47.736732Z"}}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "affected": [{"source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "affectedData": [{"vendor": "neo4j", "product": "Enterprise Edition", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.01.0", "versionType": "date"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/neo4j/neo4j", "vendor": "neo4j", "product": "Community Edition", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.01.0", "versionType": "date"}], "packageName": "pkg:maven/org.neo4j/neo4j", "collectionURL": "https://mvnrepository.com/artifact/org.neo4j/neo4j", "defaultStatus": "unaffected"}]}], "published": "2026-02-06T14:16:38.120", "references": [{"url": "https://github.com/JoakimBulow/CVE-2026-1337", "tags": ["Exploit", "Third Party Advisory"], "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:\u00a0 https://github.com/JoakimBulow/CVE-2026-1337"}, {"lang": "es", "value": "El escape insuficiente de caracteres Unicode en el registro de consultas en las ediciones Neo4j Enterprise y Community anteriores a 2026.01 puede conducir a XSS si el usuario abre los registros en una herramienta que los trate como HTML. No hay impacto de seguridad en los productos Neo4j, pero este aviso se publica como precauci\u00f3n para tratar los registros como texto plano si se utilizan versiones anteriores a 2026.01.\n\nPrueba de concepto de exploit: https://github.com/JoakimBulow/CVE-2026-1337"}], "lastModified": "2026-06-17T10:15:37.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:*", "vulnerable": true, "matchCriteriaId": "45EA63FF-3AC6-43C7-A504-CB24BAC916F9", "versionEndExcluding": "2026.01"}, {"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "0E3788A7-7BDC-467B-A491-1D19A3FE5C80", "versionEndExcluding": "2026.01"}], "operator": "OR"}]}], "sourceIdentifier": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6"}