Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/956749?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/956749?format=api", "purl": "pkg:maven/org.neo4j/neo4j@3.0.3", "type": "maven", "namespace": "org.neo4j", "name": "neo4j", "version": "3.0.3", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2026.01.3", "latest_non_vulnerable_version": "2026.01.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50007?format=api", "vulnerability_id": "VCID-9cy5-7wag-t3f7", "summary": "Neo4j Enterprise and Community vulnerable to a potential information disclosure\nNeo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files.\n\nThe \"obfuscate_literals\" option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access.\n\nNeo4j recommends upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If a project's configuration had db.logs.query.obfuscate_literals enabled, and users wish for the obfuscation to cover the error messages as well, theyneed to enable the new configuration setting db.logs.query.obfuscate_errors once they have upgraded Neo4j.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1622.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1622.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1622", "reference_id": "", "reference_type": "", "scores": [ { "value": "6e-05", "scoring_system": "epss", "scoring_elements": "0.00387", "published_at": "2026-06-05T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00551", "published_at": "2026-06-09T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00554", "published_at": "2026-06-06T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00552", "published_at": "2026-06-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00548", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1622" }, { "reference_url": "https://github.com/neo4j/neo4j", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/neo4j/neo4j" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436677", "reference_id": "2436677", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436677" }, { "reference_url": "https://neo4j.com/security/CVE-2026-1622", "reference_id": "CVE-2026-1622", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:M" }, { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T15:12:30Z/" } ], "url": "https://neo4j.com/security/CVE-2026-1622" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1622", "reference_id": "CVE-2026-1622", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1622" }, { "reference_url": "https://github.com/advisories/GHSA-4j3g-rwwq-4p54", "reference_id": "GHSA-4j3g-rwwq-4p54", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4j3g-rwwq-4p54" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73854?format=api", "purl": "pkg:maven/org.neo4j/neo4j@5.26.21", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-q35z-kxy1-6kcq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.neo4j/neo4j@5.26.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/73855?format=api", "purl": "pkg:maven/org.neo4j/neo4j@2026.01.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.neo4j/neo4j@2026.01.3" } ], "aliases": [ "CVE-2026-1622", "GHSA-4j3g-rwwq-4p54" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cy5-7wag-t3f7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50038?format=api", "vulnerability_id": "VCID-q35z-kxy1-6kcq", "summary": "Neo4j Enterprise and Community editions have insufficient escaping of unicode characters in query log\nInsufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01.\n\nProof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1337", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01814", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01815", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.0182", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02965", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.02929", "published_at": "2026-06-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1337" }, { "reference_url": "https://github.com/neo4j/neo4j", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/neo4j/neo4j" }, { "reference_url": "https://github.com/JoakimBulow/CVE-2026-1337", "reference_id": "CVE-2026-1337", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T14:29:47Z/" } ], "url": "https://github.com/JoakimBulow/CVE-2026-1337" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1337", "reference_id": "CVE-2026-1337", "reference_type": "", "scores": [ { "value": "1.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1337" }, { "reference_url": "https://github.com/advisories/GHSA-xr72-g735-4vwp", "reference_id": "GHSA-xr72-g735-4vwp", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xr72-g735-4vwp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73895?format=api", "purl": "pkg:maven/org.neo4j/neo4j@2026.01", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.neo4j/neo4j@2026.01" }, { "url": "http://public2.vulnerablecode.io/api/packages/73855?format=api", "purl": "pkg:maven/org.neo4j/neo4j@2026.01.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.neo4j/neo4j@2026.01.3" } ], "aliases": [ "CVE-2026-1337", "GHSA-xr72-g735-4vwp" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-q35z-kxy1-6kcq" } ], "fixing_vulnerabilities": [], "risk_score": "3.1", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.neo4j/neo4j@3.0.3" }