Low severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026
Insufficient escaping of unicode characters in query log
CVE-2026-1337
Description
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.
Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.neo4j:neo4jMaven | < 2026.01 | 2026.01 |
Affected products
3- osv-coords2 versions
< 2026.1.0+ 1 more
- (no CPE)range: < 2026.1.0
- (no CPE)range: < 2026.01
- Range: 0
Patches
Vulnerability mechanics
References
2- github.com/advisories/GHSA-xr72-g735-4vwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-1337ghsaADVISORY
News mentions
0No linked articles in our index yet.