Vulnerability Details CVE-2026-1337
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.
Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.1%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-1337
-
cpe:2.3:a:neo4j:neo4j:-
-
cpe:2.3:a:neo4j:neo4j:3.4.0
-
cpe:2.3:a:neo4j:neo4j:3.4.1
-
cpe:2.3:a:neo4j:neo4j:3.4.10
-
cpe:2.3:a:neo4j:neo4j:3.4.11
-
cpe:2.3:a:neo4j:neo4j:3.4.12
-
cpe:2.3:a:neo4j:neo4j:3.4.13
-
cpe:2.3:a:neo4j:neo4j:3.4.14
-
cpe:2.3:a:neo4j:neo4j:3.4.15
-
cpe:2.3:a:neo4j:neo4j:3.4.16
-
cpe:2.3:a:neo4j:neo4j:3.4.17
-
cpe:2.3:a:neo4j:neo4j:3.4.18
-
cpe:2.3:a:neo4j:neo4j:3.4.2
-
cpe:2.3:a:neo4j:neo4j:3.4.4
-
cpe:2.3:a:neo4j:neo4j:3.4.5
-
cpe:2.3:a:neo4j:neo4j:3.4.6
-
cpe:2.3:a:neo4j:neo4j:3.4.7
-
cpe:2.3:a:neo4j:neo4j:3.4.8
-
cpe:2.3:a:neo4j:neo4j:3.4.9