QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-1337

Back to search

CVE-2026-1337

Published: Feb 6, 2026

Modified: Feb 6, 2026

PUBLISHED

Description

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337

VendorProductVersions

neo4j

Enterprise Edition

affected
0 - < 2026.01.0

neo4j

Community Edition

affected
0 - < 2026.01.0

Weaknesses (CWE)

CWE-117

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now