CVE-2026-3960
9.8 CRITICALA critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0...
Published: 2026-04-23 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-94
Affected products
| Vendor | Product |
|---|---|
| h2o | h2o |
Description
A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-8752 — A weakness has been identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
- CVE-2026-8751 — A security flaw has been discovered in h2oai h2o-3 up to 7402 (7.3 HIGH)
- CVE-2026-8750 — A vulnerability was identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
Same CWE
- CVE-2026-12176 — A vulnerability has been found in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 (4.3 MEDIUM)
- CVE-2026-54057 — Kitty is a cross-platform GPU based terminal
- CVE-2026-12130 — A security flaw has been discovered in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-12129 — A vulnerability was identified in CodeAstro Human Resource Management System 1.0 (3.5 LOW)
- CVE-2026-42890 — Actual is an open-source personal finance application