BIT-neo4j-2026-1337

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/neo4j/BIT-neo4j-2026-1337.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-neo4j-2026-1337

Aliases

Published

2026-02-26T15:16:17.899Z

Modified

2026-02-26T16:11:08.298792Z

Summary

Insufficient escaping of unicode characters in query log

Details

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.

Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337

Database specific

{
    "severity": "Low",
    "cpes": [
        "cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*",
        "cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:*"
    ]
}

References

Affected packages

Bitnami / neo4j

Package

Name: neo4j
Purl: pkg:bitnami/neo4j

Severity

1.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.1.0

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/neo4j/BIT-neo4j-2026-1337.json"