CVE-2026-8750

🔶 medium

Summary

A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Score

5.3

Medium

EPSS Score

0.0

Exploit Probability

Published Date

2026-05-17

First Seen: 2026-05-18

📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 321,566 vulnerabilities in our database.

#257,788

Below average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 18, 2026

🔍 Exploitation Status

Poc

Proof-of-concept available

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

vulnplusbot (VulDB User) (reporter) VulDB CNA Team (coordinator)

SSVC data provided by CISA

Last Modified 2026-05-19

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE IDs (Weakness Types)

CWE-200 CWE-284

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
h2o	h2o	Affected	< 7402

🔗 References 4

https://vuldb.com/submit/810105

Third Party Advisory VDB Entry

https://vuldb.com/vuln/364377

Third Party Advisory VDB Entry

https://vuldb.com/vuln/364377/cti

Permissions Required VDB Entry

https://vulnplus-note.wetolink.com/share/wWjmsfKHRJi3

Broken Link

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-8751	⚠️ high	7.3	0.0	A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h...	2026-05-17
CVE-2026-8752	🔶 medium	5.3	0.0	A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-c...	2026-05-17
CVE-2026-3960	⛔ critical	9.8	0.3	A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O...	2026-04-23
CVE-2025-6544	⛔ critical	9.8	0.3	A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system ...	2025-09-21
CVE-2025-10768	🔶 medium	6.3	0.1	A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQ...	2025-09-21
CVE-2025-10769	🔶 medium	6.3	0.1	A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLT...	2025-09-21

These CVEs affect the same products