What is CVE-2026-3960?

CVE-2026-3960 is a critical-severity vulnerability in H2o, classified under Code Injection. CVSS score: 9.8/10. Published 2026-04-23.

How severe is CVE-2026-3960?

Critical severity. CVSS v3 base score is 9.8 out of 10.

RCE in H2o

CVE-2026-3960

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklis…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.004 (57.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

H2o
H2oai H2oai/h2o-3 — versions unspecified

Weakness classification (CWE)

CWE-94 — Code Injection

References

security@huntr.dev (Exploit, Third Party Advisory)
security@huntr.dev (Patch)

Frequently asked questions

What is CVE-2026-3960?: CVE-2026-3960 is a critical-severity vulnerability in H2o, classified under Code Injection. CVSS score: 9.8/10. Published 2026-04-23.
How severe is CVE-2026-3960?: Critical severity. CVSS v3 base score is 9.8 out of 10.