Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the importBinaryModel function in the JAR Handler component. An attacker can execute arbitrary code or manipulate application behavior by providing specially crafted JAR with embedded into a model...

CVE-2026-8751

A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The...

CVE-2026-8751 h2oai h2o-3 JAR Model.java importBinaryModel deserialization

A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The...

CVE-2026-8751

A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The...

CVE-2026-8751

Affected software: h2oai h2o-3 (versions before 7402). The issue lies in the JAR Handler component, specifically the importBinaryModel() function in h2o-core/src/main/java/hex/Model.java, where input manipulation can trigger deserialization. This enables remote exploitation, with the exploit publ...

PT-2026-41541

Name of the Vulnerable Software and Affected Versions h2oai h2o-3 versions prior to 7402 Description A flaw in the JAR Handler component allows remote attackers to trigger deserialization by manipulating the importBinaryModel function within the h2o-core/src/main/java/hex/Model.java file...