{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-1337","assignerOrgId":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6","state":"PUBLISHED","assignerShortName":"Neo4j","dateReserved":"2026-01-22T13:14:55.461Z","datePublished":"2026-02-06T13:13:19.230Z","dateUpdated":"2026-02-06T14:30:29.856Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Enterprise Edition","vendor":"neo4j","versions":[{"lessThan":"2026.01.0","status":"affected","version":"0","versionType":"date"}]},{"collectionURL":"https://mvnrepository.com/artifact/org.neo4j/neo4j","defaultStatus":"unaffected","packageName":"pkg:maven/org.neo4j/neo4j","product":"Community Edition","repo":"https://github.com/neo4j/neo4j","vendor":"neo4j","versions":[{"lessThan":"2026.01.0","status":"affected","version":"0","versionType":"date"}]}],"credits":[{"lang":"en","type":"finder","value":"Joakim Bülow"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.<br><br>Proof of concept exploit:&nbsp;<a target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/JoakimBulow/CVE-2026-1337\">https://github.com/JoakimBulow/CVE-2026-1337</a>"}],"value":"Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337"}],"impacts":[{"capecId":"CAPEC-63","descriptions":[{"lang":"en","value":"CAPEC-63 Cross-Site Scripting (XSS)"}]},{"capecId":"CAPEC-93","descriptions":[{"lang":"en","value":"CAPEC-93 Log Injection-Tampering-Forging"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"PRESENT","attackVector":"NETWORK","baseScore":1.1,"baseSeverity":"LOW","exploitMaturity":"PROOF_OF_CONCEPT","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"LOW","subIntegrityImpact":"LOW","userInteraction":"ACTIVE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-117","description":"CWE-117 Improper Output Neutralization for Logs","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"3b236295-4ccd-4a1f-a1c1-a72eecc8d7b6","shortName":"Neo4j","dateUpdated":"2026-02-06T13:13:19.230Z"},"references":[{"tags":["exploit"],"url":"https://github.com/JoakimBulow/CVE-2026-1337"}],"source":{"discovery":"INTERNAL"},"title":"Insufficient escaping of unicode characters in query log","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-06T14:29:47.736732Z","id":"CVE-2026-1337","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-06T14:30:29.856Z"}}]}}