cvedb.io
CVE-2026-1337
MEDIUM · CVSS 5.4
EPSS exploitation probability: 0%
Published 2026-02-06T14:16:38.120 · Last modified 2026-06-17T10:15:37.643

Summary

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337

Affected products

neo4j — neo4j

Does this affect you?

Add your gear to cvedb and we'll alert you only when neo4j ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.