CVE-2026-8751
7.3 HIGHA security flaw has been discovered in h2oai h2o-3 up to 7402
Published: 2026-05-17 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-20, CWE-502
Affected products
| Vendor | Product |
|---|---|
| h2o | h2o |
Description
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-8752 — A weakness has been identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
- CVE-2026-8750 — A vulnerability was identified in h2oai h2o-3 up to 7402 (5.3 MEDIUM)
- CVE-2026-3960 — A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0... (9.8 CRITICAL)
Same CWE
- CVE-2026-45013 — ApostropheCMS is an open-source Node.js content management system (8.1 HIGH)
- CVE-2026-54133 — jmespath.php allows users to use JMESPath, software for declaratively specifying how to extract elements from a JSON document, in PHP app... (9.8 CRITICAL)
- CVE-2026-47196 — Quest Bot is an opensource Discord Bot
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)