CVE-2024-5986

🗓️ 02 Feb 2026 10:36:24Reported by @huntr_aiType

cve🔗 web.nvd.nist.gov👁 9 Views🌐 WEB

CVE-2024-5986 enables remote file write in h2o-3 via header injection, risking code execution.

Reporter	Title	Published	Views	Family All 15
ATTACKERKB	CVE-2024-5986	2 Feb 202610:36	–	attackerkb
CNNVD	H2O 安全漏洞	2 Feb 202600:00	–	cnnvd
Cvelist	CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3	2 Feb 202610:36	–	cvelist
EUVD	EUVD-2024-55393	2 Feb 202610:36	–	euvd
Github Security Blog	H2O has an External Control of File Name or Path vulnerability	2 Feb 202612:31	–	github
GitLab Advisory Database	H2O has an External Control of File Name or Path vulnerability	2 Feb 202600:00	–	gitlab
NVD	CVE-2024-5986	2 Feb 202611:16	–	nvd
OSV	GHSA-WJ3H-WX8G-X699 H2O has an External Control of File Name or Path vulnerability	2 Feb 202612:31	–	osv
Positive Technologies	PT-2026-5651	2 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2024-5986	3 Feb 202615:18	–	redhatcve

[
  {
    "vendor": "h2oai",
    "product": "h2oai/h2o-3",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

Source	Link
huntr	www.huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3

Parameter	Position	Path	Description	CWE
header	header	/3/Parse	Attacker-controlled data injected into the header of an empty file via /3/Parse.	CWE-73
framename	path	/3/Frames/framename/export	Export endpoint used after header injection to export the manipulated file, enabling further access via the exported content.	CWE-73

15 Apr 2026 14:34Current

6.6Medium risk

Vulners AI Score6.6

CVSS 39.1

EPSS0.00141

SSVC

CWE-73