H2o Security Vulnerabilities (CVEs)
Track 17 security vulnerabilities affecting H2o products and software. Get instant email alerts when new CVEs are discovered, automated security monitoring, and patch guidance.
Quicly, an IETF QUIC protocol implementation, contains assertion failures that allow remote attackers to trigger denial-of-service crashes. Systems us...
Jan 19, 2026This vulnerability in h2oai h2o-3 allows remote attackers to execute arbitrary code through deserialization attacks via the H2 JDBC Driver's connectio...
Sep 21, 2025A critical deserialization vulnerability in h2oai/h2o-3 allows attackers to bypass security checks using double URL encoding, enabling arbitrary file ...
Sep 21, 2025This vulnerability allows authenticated attackers to overwrite arbitrary files on the server hosting H2O-3 version 3.46.0. Attackers can exploit the /...
Mar 20, 2025This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to cause denial of service by exploiting the typeahead endpoint's lack of timeout on...
Mar 20, 2025A denial-of-service vulnerability in h2o-3's ImportFiles endpoint allows attackers to recursively call the endpoint via the 'path' parameter, filling ...
Mar 20, 2025This vulnerability in h2oai/h2o-3 allows attackers to cause denial of service by uploading specially crafted large GZIP files. The server becomes unre...
Mar 20, 2025This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to export trained models to arbitrary locations on the server's filesystem, overwrit...
Mar 20, 2025This vulnerability in h2oai/h2o-3 version 3.46.0 exposes an endpoint that allows attackers to encrypt arbitrary files on the server with custom keys, ...
Mar 20, 2025This vulnerability allows unauthenticated remote attackers to execute arbitrary code on H2O-3 machine learning platforms by exploiting insecure deseri...
Mar 20, 2025This vulnerability in H2O.ai H2O allows attackers to set arbitrary JDBC URLs, leading to deserialization attacks, file reads, and remote code executio...
Sep 6, 2024This vulnerability in h2oai/h2o-3 version 3.46.0 allows attackers to call the main function of any class under the water.tools namespace via the run_t...
Jun 27, 2024This vulnerability in h2oai/h2o-3 version 3.40.0.4 allows remote attackers to view the entire filesystem path structure where the application is hoste...
Jun 6, 2024This CVE describes an S3 bucket takeover vulnerability in the h2oai/h2o-3 repository where the 'http://s3.amazonaws.com/h2o-training' bucket was vulne...
Apr 16, 2024This vulnerability in h2oai/h2o-3 allows attackers to control file paths used by the application, potentially leading to arbitrary file writes or read...
Dec 14, 2023This vulnerability in H2O allows attackers to take over S3 bucket URLs by exploiting a reference to a bucket that no longer exists. This affects syste...
Nov 16, 2023CVE-2023-6016 allows remote attackers to execute arbitrary code on H2O dashboard servers through insecure deserialization in the POJO model import fea...
Nov 16, 2023Why Monitor H2o Security Vulnerabilities?
Real-time CVE tracking: Our automated system monitors 17+ known vulnerabilities affecting H2o products and software packages. Stay ahead of emerging threats with instant email notifications when new security issues are discovered.
Automated security monitoring: Unlike manual CVE checking, FixTheCVE automatically scans your servers and detects vulnerable H2o packages in under 60 seconds. No agents required - completely agentless scanning that works across H2o deployments.
Free vulnerability database: Access detailed information about every H2o CVE including CVSS scores, severity ratings, affected versions, and actionable patch guidance. Filter by critical, high, medium, or low severity to prioritize your security remediation efforts.
🚀 Get Started in 60 Seconds
- Register free account & add your servers
- Run one-time scan or schedule automatic monitoring (every 1-24 hours)
- Receive instant alerts when new H2o CVEs affect your systems
- Access dashboard with severity breakdown & fix instructions
