ai.h2o:h2o-core (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package ai.h2o:h2o-core, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (15)
CVE-2025-6544 — CVSS 9.8 (critical): A deserialization vulnerability exists in h2oai/h2o-3 versions <= 3.46.0.8, allowing attackers to read arbitrary system files and execute…
CVE-2024-10553 — CVSS 9.8 (critical): A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via…
CVE-2026-3960 — CVSS 9.8 (critical): A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9…
CVE-2024-45758 — CVSS 9.1 (critical): H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command…
CVE-2024-5986 — CVSS 9.1 (critical): A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved…
CVE-2024-8616 — CVSS 8.2 (high): In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The…
CVE-2024-8062 — CVSS 7.5 (high): A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD`…
CVE-2023-6038 — CVSS 7.5 (high): A Local File Inclusion (LFI) vulnerability exists in the h2o-3 REST API, allowing unauthenticated remote attackers to read arbitrary files…
CVE-2024-10549 — CVSS 7.5 (high): A vulnerability in the `/3/Parse` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint uses a…
CVE-2024-10550 — CVSS 7.5 (high): A vulnerability in the `/3/ParseSetup` endpoint of h2oai/h2o-3 version 3.46.0.1 allows for a denial of service (DoS) attack. The endpoint…
CVE-2024-6960 — CVSS 7.5 (high): The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format…
CVE-2024-7765 — CVSS 7.5 (high): In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of…
CVE-2024-7768 — CVSS 7.5 (high): A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The…
CVE-2024-6854 — CVSS 7.1 (high): In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a…
CVE-2024-6863 — CVSS 6.5 (medium): In h2oai/h2o-3 version 3.46.0, an endpoint exposing a custom EncryptionTool allows an attacker to encrypt any files on the target server…