{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1337", "assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "state": "PUBLISHED", "assignerShortName": "Neo4j", "dateReserved": "2026-01-22T13:14:55.461Z", "datePublished": "2026-02-06T13:13:19.230Z", "dateUpdated": "2026-02-06T14:30:29.856Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Enterprise Edition", "vendor": "neo4j", "versions": [{"lessThan": "2026.01.0", "status": "affected", "version": "0", "versionType": "date"}]}, {"collectionURL": "https://mvnrepository.com/artifact/org.neo4j/neo4j", "defaultStatus": "unaffected", "packageName": "pkg:maven/org.neo4j/neo4j", "product": "Community Edition", "repo": "https://github.com/neo4j/neo4j", "vendor": "neo4j", "versions": [{"lessThan": "2026.01.0", "status": "affected", "version": "0", "versionType": "date"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Joakim B\u00fclow"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.<br><br>Proof of concept exploit:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/JoakimBulow/CVE-2026-1337\">https://github.com/JoakimBulow/CVE-2026-1337</a>"}], "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:\u00a0 https://github.com/JoakimBulow/CVE-2026-1337"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}, {"capecId": "CAPEC-93", "descriptions": [{"lang": "en", "value": "CAPEC-93 Log Injection-Tampering-Forging"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 1.1, "baseSeverity": "LOW", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "CWE-117 Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "shortName": "Neo4j", "dateUpdated": "2026-02-06T13:13:19.230Z"}, "references": [{"tags": ["exploit"], "url": "https://github.com/JoakimBulow/CVE-2026-1337"}], "source": {"discovery": "INTERNAL"}, "title": "Insufficient escaping of unicode characters in query log", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T14:29:47.736732Z", "id": "CVE-2026-1337", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T14:30:29.856Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1337", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-06T14:29:47.736732Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T14:30:21.922Z"}}], "cna": {"title": "Insufficient escaping of unicode characters in query log", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Joakim B\u00fclow"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}, {"capecId": "CAPEC-93", "descriptions": [{"lang": "en", "value": "CAPEC-93 Log Injection-Tampering-Forging"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "neo4j", "product": "Enterprise Edition", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.01.0", "versionType": "date"}], "defaultStatus": "unaffected"}, {"repo": "https://github.com/neo4j/neo4j", "vendor": "neo4j", "product": "Community Edition", "versions": [{"status": "affected", "version": "0", "lessThan": "2026.01.0", "versionType": "date"}], "packageName": "pkg:maven/org.neo4j/neo4j", "collectionURL": "https://mvnrepository.com/artifact/org.neo4j/neo4j", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/JoakimBulow/CVE-2026-1337", "tags": ["exploit"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:\u00a0 https://github.com/JoakimBulow/CVE-2026-1337", "supportingMedia": [{"type": "text/html", "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.<br><br>Proof of concept exploit:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/JoakimBulow/CVE-2026-1337\">https://github.com/JoakimBulow/CVE-2026-1337</a>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-117", "description": "CWE-117 Improper Output Neutralization for Logs"}]}], "providerMetadata": {"orgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "shortName": "Neo4j", "dateUpdated": "2026-02-06T13:13:19.230Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1337", "state": "PUBLISHED", "dateUpdated": "2026-02-06T14:30:29.856Z", "dateReserved": "2026-01-22T13:14:55.461Z", "assignerOrgId": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "datePublished": "2026-02-06T13:13:19.230Z", "assignerShortName": "Neo4j"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:*", "matchCriteriaId": "45EA63FF-3AC6-43C7-A504-CB24BAC916F9", "versionEndExcluding": "2026.01", "vulnerable": true}, {"criteria": "cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0E3788A7-7BDC-467B-A491-1D19A3FE5C80", "versionEndExcluding": "2026.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:\u00a0 https://github.com/JoakimBulow/CVE-2026-1337"}], "id": "CVE-2026-1337", "lastModified": "2026-02-24T21:21:55.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "type": "Secondary"}]}, "published": "2026-02-06T14:16:38.120", "references": [{"source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/JoakimBulow/CVE-2026-1337"}], "sourceIdentifier": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-117"}], "source": "3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:42:58.618331+00:00", "value": {"mitigation_remediation": ["Configure all log\u2011viewing tools to treat Neo4j query logs as plain text rather than HTML", "Upgrade Neo4j to version 2026.01 or newer, where the Unicode escape bug is fixed", "Implement a strict content\u2011security\u2011policy in any web\u2011based log viewer to block execution of embedded scripts"], "summary": {"action": "Monitor", "impact": "Cross\u2011Site Scripting via log viewer"}, "threat_synthesis": {"affected_systems": "The flaw affects all Neo4j Community Edition and Enterprise Edition installations released prior to 2026.01. No specific release numbers are listed, so any version before the 2026.01 milestone is potentially vulnerable.", "description_and_impact": "Neo4j Community and Enterprise editions that log queries before the 2026.01 release do not properly escape Unicode characters in the query log. This deficiency means that if a log file is opened with a tool that renders its contents as HTML, an attacker can embed malicious scripts that will execute in the viewer\u2019s context. The vulnerability is a classic case of unchecked input validation, identified as CWE\u2011117, and the impact is limited to the environment that consumes the logs rather than the Neo4j database itself.", "risk_and_exploitability": "The CVSS score of 1.1 and an EPSS score of less than 1% indicate that the vulnerability poses a low overall risk and is unlikely to be widely exploited. Because exploitation requires a client that parses logs as HTML, an attacker would need local or remote access to a log\u2011viewing environment, making the attack vector environment\u2011dependent rather than network\u2011based. The vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list, further suggesting a minimal threat level when logs are treated as plain text."}}}}, "created": "2026-02-09T10:50:25.493628+00:00", "updated": "2026-04-17T22:45:29.941236+00:00", "vendors": ["neo4j", "neo4j$PRODUCT$community_edition", "neo4j$PRODUCT$enterprise_edition"]}