CVE-2026-1337

MEDIUM

Neo4j < 2026.01 - Cross-Site Scripting via Query Log Unicode Character Escaping

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-1337. PoCs published by XiaomingX, JoakimBulow.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Description

Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1337

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction logic for WordPress admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by JoakimBulow · poc

https://github.com/JoakimBulow/CVE-2026-1337

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-1337, demonstrating log injection in Neo4j's query.log via unescaped control characters in Bolt transaction metadata. The exploit injects fake log entries by leveraging newline characters in metadata fields, which are not sanitized when logging is not in JSON format.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Neo4j (version not specified)

Auth required

Prerequisites: Authenticated access to Neo4j · Neo4j configured with non-JSON query logging

MITRE ATT&CK

T1098 - Account Manipulation T1562.006 - Indicator Blocking

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources exploit

https://github.com/JoakimBulow/CVE-2026-1337

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 3.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-117

Status published

Products (2)

neo4j/neo4j < 2026.01 (2 CPE variants)

org.neo4j/neo4j 0 - 2026.01Maven

Published Feb 06, 2026

Tracked Since Feb 18, 2026