CVEFinder.io

CVE-2026-8752

🔶 medium
🔍 Scan for this CVE
Summary

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond i

Description

A weakness has been identified in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Score
5.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-17
First Seen: 2026-05-18
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 19.8% of all 321,566 vulnerabilities in our database.

#257,788
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 18, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
vulnplusbot (VulDB User) (reporter) VulDB CNA Team (coordinator)
SSVC data provided by CISA
Last Modified 2026-05-19
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-266 CWE-284

📦 Affected Products 1

Vendor Product Status Affected Versions
h2o h2o Affected
< 7402

🔗 References 4

https://vuldb.com/submit/810108
Third Party Advisory VDB Entry
https://vuldb.com/vuln/364379
Third Party Advisory VDB Entry
https://vuldb.com/vuln/364379/cti
Permissions Required VDB Entry
https://vulnplus-note.wetolink.com/share/pyVa0GWPuAZE
Broken Link

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8750 🔶 medium 5.3 0.0 A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file... 2026-05-17
CVE-2026-8751 ⚠️ high 7.3 0.0 A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h... 2026-05-17
CVE-2026-3960 ⛔ critical 9.8 0.3 A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O... 2026-04-23
CVE-2025-6544 ⛔ critical 9.8 0.3 A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system ... 2025-09-21
CVE-2025-10768 🔶 medium 6.3 0.1 A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQ... 2025-09-21
CVE-2025-10769 🔶 medium 6.3 0.1 A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLT... 2025-09-21
These CVEs affect the same products