Skip to main content

Neo4j

6 CVEs product

Monthly

CVE-2026-1497 LOW Monitor

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition versions up to 2026.02 is affected by incorrect authorization.

Authentication Bypass Neo4j
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1337 Maven MEDIUM POC PATCH This Month

Neo4J versions up to 2026.01 contains a vulnerability that allows attackers to XSS if the user opens the logs in a tool that treats them as HTML (CVSS 5.4).

Github XSS Neo4j
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-34517 Maven MEDIUM PATCH This Month

The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Neo4j
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2021-34371 Maven CRITICAL POC PATCH THREAT Act Now

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java Neo4j
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
13.4%
CVE-2018-18389 Maven CRITICAL POC PATCH Act Now

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Neo4j
NVD GitHub
CVSS 3.0
9.8
EPSS
1.9%
CVE-2013-7259 Maven MEDIUM PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection RCE CSRF Neo4j
NVD GitHub VulDB
CVSS 2.0
6.8
EPSS
0.3%
EPSS 0% CVSS 2.0
LOW Monitor

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition versions up to 2026.02 is affected by incorrect authorization.

Authentication Bypass Neo4j
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Neo4J versions up to 2026.01 contains a vulnerability that allows attackers to XSS if the user opens the logs in a tool that treats them as HTML (CVSS 5.4).

Github XSS Neo4j
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Neo4j
NVD GitHub
EPSS 13% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization RCE Java +1
NVD Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Neo4j
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection RCE CSRF +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy