GHSA-QMCV-HH7C-3M56 H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

CVE-2026-3960

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

CVE-2026-3960 Remote Code Execution in h2oai/h2o-3

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

PT-2026-34648

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

EUVD-2025-30378

Malicious code in bioql PyPI...

EUVD-2025-30379

Malicious code in bioql PyPI...

CVE-2025-10768

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connectionurl causes deserialization. The attack may be initiated remotely. The exploit has been...

CVE-2025-10769

A vulnerability has been found in h2oai h2o-3 up to 3.46.08. This affects an unknown function of the file /99/ImportSQLTable of the component H2 JDBC Driver. Such manipulation of the argument connectionurl leads to deserialization. The attack may be launched remotely. The exploit has been disclos...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ImportSQLTable process of the H2 JDBC Driver when handling the connectionurl argument. An attacker can execute arbitrary code by supplying crafted serialized data remotely. Details Serialization...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ImportSQLTable process of the IBMDB2 JDBC Driver component when handling the connectionurl argument. An attacker can execute arbitrary code by supplying crafted serialized data remotely. Details...

CVE-2025-10768

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connectionurl causes deserialization. The attack may be initiated remotely. The exploit has been...

CVE-2025-10768

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connectionurl causes deserialization. The attack may be initiated remotely. The exploit has been...

CVE-2025-10769

CVE-2025-10769 affects h2oai h2o-3 up to 3.46.08 via the H2 JDBC Driver, specifically the /99/ImportSQLTable file. The vulnerability arises from manipulation of the connection_url argument, which leads to deserialization. Reports indicate the attack may be launched remotely and that the exploit h...

CVE-2025-10768 h2oai h2o-3 IBMDB2 JDBC Driver ImportSQLTable deserialization

A flaw has been found in h2oai h2o-3 up to 3.46.08. The impacted element is an unknown function of the file /99/ImportSQLTable of the component IBMDB2 JDBC Driver. This manipulation of the argument connectionurl causes deserialization. The attack may be initiated remotely. The exploit has been...

PT-2025-38663

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions through 3.46.08 Description A vulnerability exists in h2oai h2o-3 up to version 3.46.08, specifically within the H2 JDBC Driver component. The issue involves the manipulation of the connection url argument in the...

CVE-2025-5662

A deserialization vulnerability exists in the H2O-3 REST API POST /99/ImportSQLTable that affects all versions up to 3.46.0.7. This vulnerability allows remote code execution RCE due to improper validation of JDBC connection parameters when using a Key-Value format. The vulnerability is present i...

H2O-3 MySQL JDBC Driver Deserialization Vulnerability_Key-Value Bypass Parameter Inspection

Creator： zack H2O-3 Version： 3.46.0.7、3.47.0.6928 MySQL JDBC Driver Version： 8.0.19 JDK Version： 8u112 Description There is a JDBC deserialization vulnerability in the H2O-3 REST API（POST /99/ImportSQLTable） that does not require authentication. This vulnerability can lead to Remote Code Executio...

CVE-2024-45758

H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to post to the ImportSQLTable URI with a JSON document containing a connectionurl property with a...