CVE-2026-1337: Insufficient escaping of unicode characters in query log

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-1337

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Insufficient escaping of unicode characters in query log

Source: NVD (National Vulnerability Database)

Vulnerability Description

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

日志输出的转义处理不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Neo4j 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Neo4j是美国Neo4j公司的一款基于Java的且完全兼容ACID的图形数据库，它支持数据迁移、附加组件等。 Neo4j Enterprise和Neo4j Community 2026.01之前版本存在安全漏洞，该漏洞源于查询日志中Unicode字符转义不足，如果用户在将日志视为HTML的工具中打开日志，可能导致跨站脚本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
neo4j	Enterprise Edition	0 ~ 2026.01.0	-
neo4j	Community Edition	0 ~ 2026.01.0	-

II. Public POCs for CVE-2026-1337

#	POC Description	Source Link	Shenlong Link
1	CVE-2026-1337 - Neo4j - Log Injection	https://github.com/JoakimBulow/CVE-2026-1337	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-1337

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same product: Enterprise Edition

Same vendor: neo4j

Same weakness: CWE-117

V. Comments for CVE-2026-1337

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2026-1337

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-1337

III. Intelligence Information for CVE-2026-1337

IV. Related Vulnerabilities

V. Comments for CVE-2026-1337

Leave a comment