Lucene search
K

377 matches found

NVD
NVD
added 4 days ago5 views

CVE-2026-55615

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt...

9.2CVSS0.00461EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-55615

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.65.5, Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt...

9.2CVSS6.1AI score0.00461EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/06 9:22 p.m.6 views

Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...

9.8CVSS5.9AI score0.00461EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/07/06 9:22 p.m.5 views

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview langroid is a Harness LLMs with Multi-Agent Programming Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' via the Neo4jChatAgent process. An attacker can gain unauthorized access to all gra...

9.2CVSS6.2AI score0.00461EPSS
Exploits0References2
OSV
OSV
added 2026/07/06 9:22 p.m.6 views

GHSA-2PQ5-3Q89-J7CC Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...

9.2CVSS5.9AI score0.00461EPSS
Exploits0References2
NVD
NVD
added 2026/07/06 9:16 a.m.10 views

CVE-2026-46591

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection...

8.2CVSS0.00329EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 8:4 a.m.31 views

CVE-2026-46591 Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection...

0.00329EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/07/06 8:4 a.m.8 views

CVE-2026-46591 Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection...

6.1AI score0.00613EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/06 8:4 a.m.7 views

EUVD-2026-41835

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection...

8.2CVSS6.1AI score0.00329EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 8:4 a.m.11 views

CVE-2026-46591

Summary: CVE-2026-46591 affects Apache Camel’s Neo4j component. The vulnerability arises from interpolating JSON keys of the CamelNeo4jMatchProperties header into the Cypher WHERE clause, allowing Cypher injection when untrusted input populates the map. This could enable reading, modifying, or de...

8.2CVSS6.1AI score0.00329EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:4 a.m.6 views

CVE-2026-46591

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection...

6.1AI score0.00329EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.10 views

PT-2026-56085

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.65.5 Description Neo4jChatAgent passes LLM-generated Cypher queries directly to the Neo4j driver without validation, a statement-type allowlist, or an opt-out gate. Because the query text can be influenced by promp...

9.2CVSS6AI score0.00461EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.7 views

PT-2026-55896

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.10.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.x Description An issue exists in the Apache Camel Neo4J component where the producer builds the Cypher WHERE clau...

8.2CVSS6AI score0.00329EPSS
Exploits0References4
Chainguard
Chainguard
added 2026/06/23 8:16 a.m.8 views

CVE-2026-49268 vulnerabilities

Vulnerabilities for packages: apache-jena-fuseki, apache-activemq, apache-activemq-fips, neo4j...

9.1CVSS7AI score0.00494EPSS
Exploits0
Chainguard
Chainguard
added 2026/06/23 8:16 a.m.8 views

GHSA-X96M-RH44-VGV8 vulnerabilities

Vulnerabilities for packages: apache-jena-fuseki, apache-activemq, apache-activemq-fips, neo4j...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/20 2:16 a.m.12 views

CVE-2026-49268 vulnerabilities

Vulnerabilities for packages: neo4j...

9.1CVSS5.8AI score0.00494EPSS
Exploits0
Wolfi
Wolfi
added 2026/06/20 2:16 a.m.12 views

GHSA-X96M-RH44-VGV8 vulnerabilities

Vulnerabilities for packages: neo4j...

5.8AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/05 7:20 p.m.11 views

CVE-2026-41274

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that ar...

9.8CVSS5.9AI score0.00504EPSS
Exploits1References1
OSV
OSV
added 2026/05/29 10:28 a.m.6 views

BIT-NEO4J-2026-1471 Caching of authentication context

Excessive caching of authentication context in Neo4j Enterprise edition versions prior to 2026.1.4 leads to authenticated users inheriting the context of the first user who authenticated after restart. The issue is limited to certain non-default configurations of SSO UserInfo endpoint. We recomme...

6.5CVSS5.8AI score0.00244EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 11:48 a.m.6 views

BIT-NEO4J-2026-1497 Incorrect privilege assignment in composite databases

Incorrect resolving of namespaces in composite databases in Neo4j Enterprise edition prior to versions 2026.02 and 5.26.22 can lead to the following scenario: an admin that intends to give a user an access to a remote database constituent "namespace.name" will inadvertently grant access to any...

7.2CVSS5.8AI score0.00235EPSS
Exploits0References2
Rows per page
Query Builder