Filtered by vendor Neo4j
Subscriptions
Total
12 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-56406 | 2 Neo4j, Neo4j-contrib | 2 Neo4j, Mcp-neo4j | 2025-09-16 | 7.5 High |
| An issue was discovered in mcp-neo4j 0.3.0 allowing attackers to obtain sensitive information or execute arbitrary commands via the SSE service. NOTE: the Supplier's position is that authentication is not mandatory for MCP servers, and the mcp-neo4j MCP server is only intended for use in a local environment where authentication realistically would not be needed. Also, the Supplier provides middleware to help isolate the MCP server from external access (if needed). | ||||
| CVE-2025-10193 | 1 Neo4j | 2 Cypher Mcp Server, Neo4j | 2025-09-12 | N/A |
| DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed. | ||||
| CVE-2024-34517 | 1 Neo4j | 1 Neo4j | 2025-07-23 | 6.5 Medium |
| The Cypher component in Neo4j 5.0.0 through 5.18 mishandles IMMUTABLE privileges in some situations where an attacker already has admin access. | ||||
| CVE-2013-7259 | 1 Neo4j | 1 Neo4j | 2025-04-12 | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Neo4J 1.9.2 allow remote attackers to hijack the authentication of administrators for requests that execute arbitrary code, as demonstrated by a request to (1) db/data/ext/GremlinPlugin/graphdb/execute_script or (2) db/manage/server/console/. | ||||
| CVE-2022-23532 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2025-03-10 | 7.1 High |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j that provides hundreds of procedures and functions. A path traversal vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The minimum versions containing patch for this vulnerability are 4.4.0.12 and 4.3.0.12 and 5.3.1. As a workaround, you can control the allowlist of the procedures that can be used in your system, and/or turn off local file access by setting apoc.export.file.enabled=false. | ||||
| CVE-2023-23926 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2025-03-10 | 5.9 Medium |
| APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 and 4.4.0.14 (4.4 branch) in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be resolved. The XML parser used by the apoc.import.graphml procedure was not configured in a secure way and therefore allowed this. External entities can be used to read local files, send HTTP requests, and perform denial-of-service attacks on the application. Abusing the XXE vulnerability enabled assessors to read local files remotely. Although with the level of privileges assessors had this was limited to one-line files. With the ability to write to the database, any file could have been read. Additionally, assessors noted, with local testing, the server could be crashed by passing in improperly formatted XML. The minimum version containing a patch for this vulnerability is 5.5.0. Those who cannot upgrade the library can control the allowlist of the procedures that can be used in your system. | ||||
| CVE-2022-37423 | 1 Neo4j | 1 Awesome Procedures On Cypher | 2024-11-21 | 7.5 High |
| Neo4j APOC (Awesome Procedures on Cypher) before 4.3.0.7 and 4.x before 4.4.0.8 allows Directory Traversal to sibling directories via apoc.log.stream. | ||||
| CVE-2021-42767 | 1 Neo4j | 1 Awesome Procedures | 2024-11-21 | 9.1 Critical |
| A directory traversal vulnerability in the apoc plugins in Neo4J Graph database before 4.4.0.1 allows attackers to read local files, and sometimes create local files. This is fixed in 3.5.17, 4.2.10, 4.3.0.4, and 4.4.0.1. | ||||
| CVE-2021-34802 | 1 Neo4j | 1 Graph Databse | 2024-11-21 | 8.8 High |
| A failure in resetting the security context in some transaction actions in Neo4j Graph Database 4.2 and 4.3 could allow authenticated users to execute commands with elevated privileges. | ||||
| CVE-2021-34371 | 1 Neo4j | 1 Neo4j | 2024-11-21 | 9.8 Critical |
| Neo4j through 3.4.18 (with the shell server enabled) exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains. | ||||
| CVE-2018-18389 | 1 Neo4j | 1 Neo4j | 2024-11-21 | N/A |
| Due to incorrect access control in Neo4j Enterprise Database Server 3.4.x before 3.4.9, the setting of LDAP for authentication with STARTTLS, and System Account for authorization, allows an attacker to log into the server by sending any valid username with an arbitrary password. | ||||
| CVE-2018-1000820 | 1 Neo4j | 1 Awesome Procedures On Cyper | 2024-11-21 | N/A |
| neo4j-contrib neo4j-apoc-procedures version before commit 45bc09c contains a XML External Entity (XXE) vulnerability in XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This vulnerability appears to have been fixed in after commit 45bc09c. | ||||
Page 1 of 1.