EUVD-2026-25205

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

CVE-2026-3960

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

CVE-2026-3960 Remote Code Execution in h2oai/h2o-3

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

CVE-2026-3960

CVE-2026-3960 is a remote code execution in H2O-3 prior to 3.46.0.10 via the unauthenticated REST endpoint /99/ImportSQLTable. The issue stems from a MySQL-focused parameter blacklist that can be bypassed by switching the JDBC URL to a PostgreSQL URL (e.g., using socketFactory/socketFactoryArg pa...

H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

EUVD-2025-26414

Malicious code in bioql PyPI...

CVE-2025-10769

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connectionurl leads to deserialization. The attack may be launched remotely. The exploit has been disclos...

CVE-2025-10769

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connectionurl leads to deserialization. The attack may be launched remotely. The exploit has been disclos...

CVE-2025-10769 h2oai h2o-3 H2 JDBC Driver ImportSQLTable deserialization

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connectionurl leads to deserialization. The attack may be launched remotely. The exploit has been disclos...

CVE-2025-10769 h2oai h2o-3 H2 JDBC Driver ImportSQLTable deserialization

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connectionurl leads to deserialization. The attack may be launched remotely. The exploit has been disclos...

CVE-2025-10768

CVE-2025-10768 affects h2oai h2o-3 up to version 3.46.08. The vulnerability is a deserialization flaw in an unknown function within the IBMDB2 JDBC Driver’s /99/ImportSQLTable, caused by manipulation of the connection_url argument. This enables remote exploitation and an exploit has been publishe...

CVE-2025-10768 h2oai h2o-3 IBMDB2 JDBC Driver ImportSQLTable deserialization

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connectionurl causes deserialization. The attack may be initiated remotely. The exploit has been...

PT-2025-38662

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions through 3.46.08 Description A flaw exists in h2oai h2o-3, specifically in an unknown function within the /99/ImportSQLTable file of the IBMDB2 JDBC Driver component. Manipulation of the connection url argument can lead to...

H2O 安全漏洞

H2O is an in-memory platform for distributed, scalable machine learning open-sourced by H2O.ai. A security vulnerability exists in H2O 3.46.08 and earlier versions, which stems from a deserialization operation of the parameter connectionurl in the file /99/ImportSQLTable, which could lead to a...

CVE-2025-5662

A deserialization vulnerability exists in the H2O-3 REST API POST /99/ImportSQLTable that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present i...

CVE-2025-5662

A deserialization vulnerability exists in the H2O-3 REST API POST /99/ImportSQLTable that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present i...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the POST /99/ImportSQLTable endpoint, which does not require authentication. An attacker can execute arbitrary code by sending specially crafted requests to the REST API endpoint. Details...

CVE-2025-5662 Deserialization Vulnerability in h2oai/h2o-3

A deserialization vulnerability exists in the H2O-3 REST API POST /99/ImportSQLTable that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present i...

CVE-2025-5662

CVE-2025-5662 describes a deserialization vulnerability in H2O-3 REST API (POST /99/ImportSQLTable) affecting all versions up to 3.46.0.7. Improper validation of JDBC connection parameters (Key-Value format) can lead to remote code execution (RCE). The issue involves MySQL JDBC Driver 8.0.19 and ...