Security Advisory

CVE-2026-22743

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-03-27 05:33:20

Last updated 2026-03-27 19:38:58

Assigner vmware

State PUBLISHED

Description

Spring AIs spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

← Browse all CVEs View on cve.org ↗