VYPR
Low severityNVD Advisory· Published Feb 6, 2026· Updated Feb 6, 2026

Insufficient escaping of unicode characters in query log

CVE-2026-1337

Description

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.

Proof of concept exploit:  https://github.com/JoakimBulow/CVE-2026-1337

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.neo4j:neo4jMaven
< 2026.012026.01

Affected products

3

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.