Описание
Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.
Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2026.01 (исключая)Версия до 2026.01 (исключая)
Одно из
cpe:2.3:a:neo4j:neo4j:*:*:*:*:community:*:*:*
cpe:2.3:a:neo4j:neo4j:*:*:*:*:enterprise:*:*:*
EPSS
Процентиль: 1%
0.00011
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-117
Связанные уязвимости
CVSS3: 5.4
debian
около 2 месяцев назад
Insufficient escaping of unicode characters in query log in Neo4j Ente ...
github
около 2 месяцев назад
Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log
EPSS
Процентиль: 1%
0.00011
Низкий
5.4 Medium
CVSS3
Дефекты
CWE-117