CVEFinder.io

CVE-2026-3960

⛔ critical
🔍 Scan for this CVE
Summary

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and soc

Description

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

CVSS Score
9.8
Critical
EPSS Score
0.3
Exploit Probability
Published Date
2026-04-23
First Seen: 2026-04-27
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.4% of all 321,566 vulnerabilities in our database.

#30,777
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 23, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-94

📦 Affected Products 1

Vendor Product Status Affected Versions
h2o h2o Affected
< 3.46.0.10

🔗 References 2

https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db...
Patch
https://huntr.com/bounties/6954fe04-b905-453f-8c53-2...
Exploit Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8750 🔶 medium 5.3 0.0 A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file... 2026-05-17
CVE-2026-8751 ⚠️ high 7.3 0.0 A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h... 2026-05-17
CVE-2026-8752 🔶 medium 5.3 0.0 A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-c... 2026-05-17
CVE-2025-6544 ⛔ critical 9.8 0.3 A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system ... 2025-09-21
CVE-2025-10768 🔶 medium 6.3 0.1 A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQ... 2025-09-21
CVE-2025-10769 🔶 medium 6.3 0.1 A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLT... 2025-09-21
These CVEs affect the same products