CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/02/03 3:18 p.m.•5 views

CVE-2024-5986

A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the /3/Parse endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the...

Snyk•added 2026/02/02 12:31 p.m.•1 views

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path via the /3/Parse and /3/Frames/framename/export endpoints. An attacker can overwrite arbitrary files on the server, including sensitive files such as private SSH keys or script files, by injecting...

9.1CVSS6.7AI score0.00141EPSS

Github Security Blog•added 2026/02/02 12:31 p.m.•4 views

H2O has an External Control of File Name or Path vulnerability

Exploits0References3Affected Software2

NVD•added 2026/02/02 11:16 a.m.•2 views

CVE-2024-5986

9.1CVSS0.00141EPSS

Cvelist•added 2026/02/02 10:36 a.m.•25 views

CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3

9.1CVSS0.00141EPSS

ATTACKERKB•added 2026/02/02 10:36 a.m.•2 views

CVE-2024-5986

CVE•added 2026/02/02 10:36 a.m.•10 views

CVE-2024-5986

CVE-2024-5986 affects h2oai/h2o-3 in version 3.46.0.1, where remote attackers can write arbitrary data to any file on the server by abusing the /3/Parse endpoint to inject data as the header of an empty file, then exporting it via /3/Frames/framename/export. This can lead to remote code execution...

Positive Technologies•added 2026/02/02 12:0 a.m.•1 views

PT-2026-5651

Name of the Vulnerable Software and Affected Versions h2o-3 version 3.46.0.1 Description A flaw exists in h2o-3 that permits remote attackers to write arbitrary data to any file on the server. The issue is due to exploiting the /3/Parse API endpoint to inject attacker-controlled data as the heade...

9.1CVSS9.1AI score0.00141EPSS

Exploits0References8

GitLab Advisory Database•added 2026/02/02 12:0 a.m.•3 views

H2O has an External Control of File Name or Path vulnerability

OSV•added 2025/08/15 12:39 p.m.•1 views

Exploits0References4

OESA-2025-1996 python-werkzeug security update

A comprehensive WSGI web application library Security Fixes: Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal...

8CVSS6.9AI score0.00878EPSS

RedhatCVE•added 2025/03/22 12:16 p.m.•3 views

CVE-2024-10549

A vulnerability in the /3/Parse endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service DoS attack. The endpoint uses a user-specified string to construct a regular expression, which is then applied to another user-specified string. By sending multiple simultaneous requests, an...

7.5CVSS6.8AI score0.00345EPSS

Exploits1References1

Snyk•added 2025/03/20 12:32 p.m.•1 views

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS through the /3/Parse endpoint. An attacker can exhaust all available threads, leading to a complete denial of service by sending multiple simultaneous requests. PoC python import threading impo...

8.7CVSS6.7AI score0.00345EPSS

Exploits1References2

OSV•added 2025/03/20 12:32 p.m.•0 views

GHSA-WWR9-4GMR-XVQ9 H2O Vulnerable to Denial of Service (DoS) via `/3/Parse` Endpoint

7.5CVSS5.9AI score0.00345EPSS

Exploits1References4

CVE•added 2025/03/20 10:11 a.m.•40 views

CVE-2024-10549

CVE-2024-10549 concerns h2oai/h2o-3, version 3.46.0.1, where the vulnerable "/3/Parse" endpoint builds a regex from a user-supplied string and applies it to another user-supplied string. Under concurrent requests, this can exhaust worker threads and cause a denial of service. The issue is trigger...

7.5CVSS7.4AI score0.00345EPSS

Exploits1References1Affected Software1

CNNVD•added 2025/03/20 12:0 a.m.•1 views

H2O 资源管理错误漏洞

H2O is an in-memory platform for distributed, scalable machine learning open-sourced by H2O.ai. A resource management error vulnerability exists in H2O version 3.46.0.1, which stems from the use of a user-specified regular expression in the /3/Parse endpoint and could lead to a denial of service...

7.5CVSS7.4AI score0.00345EPSS

Exploits1References1

OSV•added 2024/06/27 11:15 p.m.•2 views

DEBIAN-CVE-2016-20022

In the Linux kernel before 4.8, usbparseendpoint in drivers/usb/core/config.c does not validate the wMaxPacketSize field of an endpoint descriptor. NOTE: This vulnerability only affects products that are no longer supported by the supplier...

8.4CVSS6.9AI score0.00111EPSS

Positive Technologies•added 2024/02/16 12:0 a.m.•1 views

PT-2024-40577 · Boost · Boost

Name of the Vulnerable Software and Affected Versions: boost affected versions not specified Description: The issue is related to a stack-overflow crash. Technical details about the crash include the involvement of specific function names such as parse subgraph, parse endpoint rest, and parse stm...

6.8AI score