Vulnerability in Neo4j Community Edition

CVE-2026-1337

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j produc…

EPSS: 0.000 (1.8th percentile) — read the EPSS interpretation.

Affected products

Neo4j Community Edition — versions 0
Neo4j Enterprise Edition — versions 0

Weakness classification (CWE)

CWE-117 — Improper Output Neutralization for Logs

References

github.com/JoakimBulow/CVE-2026-1337 (exploit)