Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
CVE-2026-8751: h2o-3 JAR Handler Import Vulnerability to Remote Deserialization
CVE-2026-8751
Summary
An attacker can remotely exploit a security flaw in h2o-3's JAR Handler, allowing them to potentially take control of your system. This affects versions up to 7402. We recommend updating to the latest version as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| h2o | h2o |
<= 7402 cpe:2.3:a:h2o:h2o:*:*:*:*:*:*:*:* |
Original title
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing...
Original description
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
nvd CVSS2.0
7.5
nvd CVSS3.1
7.3
nvd CVSS4.0
5.5
Vulnerability type
CWE-20
Improper Input Validation
CWE-502
Deserialization of Untrusted Data
Published: 17 May 2026 · Updated: 28 May 2026 · First seen: 17 May 2026