Description
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.

Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337
Published: 2026-02-06
Score: 1.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via log viewer
Action: Monitor
AI Analysis

Impact

Neo4j Community and Enterprise editions that log queries before the 2026.01 release do not properly escape Unicode characters in the query log. This deficiency means that if a log file is opened with a tool that renders its contents as HTML, an attacker can embed malicious scripts that will execute in the viewer’s context. The vulnerability is a classic case of unchecked input validation, identified as CWE‑117, and the impact is limited to the environment that consumes the logs rather than the Neo4j database itself.

Affected Systems

The flaw affects all Neo4j Community Edition and Enterprise Edition installations released prior to 2026.01. No specific release numbers are listed, so any version before the 2026.01 milestone is potentially vulnerable.

Risk and Exploitability

The CVSS score of 1.1 and an EPSS score of less than 1% indicate that the vulnerability poses a low overall risk and is unlikely to be widely exploited. Because exploitation requires a client that parses logs as HTML, an attacker would need local or remote access to a log‑viewing environment, making the attack vector environment‑dependent rather than network‑based. The vulnerability is not catalogued in the CISA Known Exploited Vulnerabilities list, further suggesting a minimal threat level when logs are treated as plain text.

Generated by OpenCVE AI on April 17, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure all log‑viewing tools to treat Neo4j query logs as plain text rather than HTML
  • Upgrade Neo4j to version 2026.01 or newer, where the Unicode escape bug is fixed
  • Implement a strict content‑security‑policy in any web‑based log viewer to block execution of embedded scripts

Generated by OpenCVE AI on April 17, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xr72-g735-4vwp Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log
History

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Neo4j neo4j
CPEs cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:*
cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*
Vendors & Products Neo4j neo4j
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Neo4j
Neo4j community Edition
Neo4j enterprise Edition
Vendors & Products Neo4j
Neo4j community Edition
Neo4j enterprise Edition

Fri, 06 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 13:45:00 +0000

Type Values Removed Values Added
Description Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337
Title Insufficient escaping of unicode characters in query log
Weaknesses CWE-117
References
Metrics cvssV4_0

{'score': 1.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P'}

Subscriptions

Neo4j Community Edition Enterprise Edition Neo4j
cve-icon MITRE

Status: PUBLISHED

Assigner: Neo4j

Published:

Updated: 2026-02-06T14:30:29.856Z

Reserved: 2026-01-22T13:14:55.461Z

Link: CVE-2026-1337

cve-icon Vulnrichment

Updated: 2026-02-06T14:30:21.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T14:16:38.120

Modified: 2026-02-24T21:21:55.050

Link: CVE-2026-1337

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses
  • CWE-117

    Improper Output Neutralization for Logs