PT-2026-6724 · Neo4J · Neo4J
Joakim Bülow
·
Published
2026-02-06
·
Updated
2026-02-26
·
CVE-2026-1337
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Neo4j versions prior to 2026.01
Description
A lack of proper unicode character escaping in the query log functionality can result in cross-site scripting (XSS) if logs are opened in a tool that interprets them as HTML. The issue is present in both Neo4j Enterprise and Community editions. While there is no direct security impact to Neo4j products, the advisory suggests treating logs as plain text.
Recommendations
Update to version 2026.01 or later.
Treat query logs as plain text if using versions prior to 2026.01.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Neo4J