CVE-2026-8750

5.3 MEDIUM

A vulnerability was identified in h2oai h2o-3 up to 7402

Published: 2026-05-17 · Last updated: 2026-05-19

Severity and scoring

CVSS: 5.3 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200, CWE-284

Affected products

Vendor	Product
h2o	h2o

Description

A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8750
[Other]https://vuldb.com/submit/810105
[Other]https://vuldb.com/vuln/364377
[Other]https://vuldb.com/vuln/364377/cti
[Other]https://vulnplus-note.wetolink.com/share/wWjmsfKHRJi3

Related CVEs

Same vendor

CVE-2026-8752 — A weakness has been identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
CVE-2026-8751 — A security flaw has been discovered in h2oai h2o-3 up to 7402 (7.3 HIGH)
CVE-2026-3960 — A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0... (9.8 CRITICAL)

Same CWE

CVE-2026-53520 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)
CVE-2026-49397 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (5.3 MEDIUM)
CVE-2026-47124 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)
CVE-2026-54396 — An information disclosure vulnerability exists in the MISP AuthKey edit functionality
CVE-2026-47264 — Discourse is an open-source discussion platform (5.3 MEDIUM)