Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

h2oai — Vulnerabilities & Security Advisories 26

Browse all 26 CVE security advisories affecting h2oai. AI-powered Chinese analysis, POCs, and references for each vulnerability.

H2oai provides an open-source artificial intelligence platform designed to accelerate the deployment of machine learning models, primarily serving data scientists and enterprises seeking streamlined AI workflows. Despite its utility in automating model development, the software has historically exhibited significant security deficiencies, evidenced by twenty-six recorded Common Vulnerabilities and Exposures. These flaws predominantly involve remote code execution and cross-site scripting, allowing attackers to compromise system integrity or steal sensitive data. Additionally, several incidents highlight privilege escalation risks, where unauthorized users gain elevated access to underlying infrastructure. The accumulation of these vulnerabilities suggests inconsistent security practices within the codebase, raising concerns for organizations relying on the platform for critical operations. While the company continues to update its offerings, the persistent presence of high-severity bugs underscores the need for rigorous third-party audits and immediate patching to mitigate potential exploitation in production environments.

Top products by h2oai: h2oai/h2o-3 h2o-3
CVE IDTitleCVSSSeverityPublished
CVE-2026-3960 Remote Code Execution in h2oai/h2o-3 — h2oai/h2o-3CWE-94 9.8AICriticalAI2026-04-23
CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3 — h2oai/h2o-3CWE-73 9.8AICriticalAI2026-02-02
CVE-2025-10769 h2oai h2o-3 H2 JDBC Driver ImportSQLTable deserialization — h2o-3CWE-502 6.3 Medium2025-09-21
CVE-2025-10768 h2oai h2o-3 IBMDB2 JDBC Driver ImportSQLTable deserialization — h2o-3CWE-502 6.3 Medium2025-09-21
CVE-2025-6544 Deserialization Vulnerability in h2oai/h2o-3 — h2oai/h2o-3CWE-502 9.8AICriticalAI2025-09-21
CVE-2025-5662 Deserialization Vulnerability in h2oai/h2o-3 — h2oai/h2o-3CWE-502 9.8 -2025-09-02
CVE-2025-6507 Deserialization of Untrusted Data in h2oai/h2o-3 — h2oai/h2o-3CWE-502 9.8 -2025-09-01
CVE-2024-10549 Denial of Service by ReDOS in h2oai/h2o-3 — h2oai/h2o-3CWE-1333 7.5 -2025-03-20
CVE-2024-8062 Denial of Service in h2oai/h2o-3 — h2oai/h2o-3CWE-1088 7.5 -2025-03-20
CVE-2024-7768 Denial of Service in h2oai/h2o-3 — h2oai/h2o-3CWE-770 7.5 -2025-03-20
CVE-2024-6863 Encryption of Arbitrary Files with Attacker-Controlled Key in h2oai/h2o-3 — h2oai/h2o-3CWE-749 9.1 -2025-03-20
CVE-2024-8616 Arbitrary File Overwrite in h2oai/h2o-3 — h2oai/h2o-3CWE-73 8.6 -2025-03-20
CVE-2024-10550 Denial of Service by ReDOS in h2oai/h2o-3 — h2oai/h2o-3CWE-1333 7.5 -2025-03-20
CVE-2024-6854 Arbitrary File Overwrite in h2oai/h2o-3 — h2oai/h2o-3CWE-36 7.5 -2025-03-20
CVE-2024-10572 Denial of Service and Arbitrary File Write in h2oai/h2o-3 — h2oai/h2o-3CWE-94 9.1 -2025-03-20
CVE-2024-10553 Jdbc Deserialization in h2oai/h2o-3 — h2oai/h2o-3CWE-502 9.8 -2025-03-20
CVE-2024-7765 Denial of Service in h2oai/h2o-3 — h2oai/h2o-3CWE-409 7.5 -2025-03-20
CVE-2024-8862 h2oai h2o-3 JDBC Connection 1 getConnectionSafe deserialization — h2o-3CWE-502 7.3 High2024-09-14
CVE-2024-5979 Denial of Service via Invalid Argument in h2oai/h2o-3 — h2oai/h2o-3CWE-94 7.5AIHighAI2024-06-27
CVE-2024-5550 Exposure of Sensitive Information via Arbitrary System Path Lookup in h2oai/h2o-3 — h2oai/h2o-3CWE-22 4.3AIMediumAI2024-06-06
CVE-2024-1456 S3 Bucket Takeover in h2oai/h2o-3 — h2oai/h2o-3CWE-840 9.8 -2024-04-16
CVE-2023-6569 External Control of File Name or Path in h2oai/h2o-3 — h2oai/h2o-3CWE-73 7.1AIHighAI2023-12-14
CVE-2023-6013 H2O Local File Include — h2oai/h2o-3CWE-79 5.4 -2023-11-16
CVE-2023-6017 H2O S3 Bucket Takeover — h2oai/h2o-3CWE-840 9.3 -2023-11-16
CVE-2023-6038 Local File Inclusion in h2oai/h2o-3 — h2oai/h2o-3CWE-862 7.5 -2023-11-16
CVE-2023-6016 H2O Remote Code Execution via POJO Model Import — h2oai/h2o-3CWE-94 8.8 -2023-11-16

This page lists every published CVE security advisory associated with h2oai. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.