VIR Vulnerability Intelligence Relay

CVE-2026-3960

critical
Published 2026-04-23 · Modified 2026-05-04
CVSS v3
9.8
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2
VIR risk
9.8

Description

H2O-3 is Vulnerable to Code Injection

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@huntr.dev — https://github.com/h2oai/h2o-3/commit/b9ae2d3c5220db2dc53753357a783e590364d044

Package impact
EcosystemPackageVulnerableFixed
java Mavenai.h2o:h2o-core<3.46.0.103.46.0.10
java MAVENai.h2o:h2o-core< 3.46.0.103.46.0.10

Application impact
VendorProductVersionsFixed
h2oh2o{"endExcluding":"3.46.0.10"}3.46.0.10

References

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.