Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability was identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Information disclosure in h2oai h2o-3 through version 7402 allows remote unauthenticated attackers to read arbitrary files from the server filesystem via the ImportFile API endpoint. The vulnerability resides in the importFiles function of PersistNFS.java and is confirmed actively exploited with publicly available exploit code (CVSS:4.0 E:P). Despite early vendor notification, h2oai has not responded or issued a patch, leaving deployments at risk of credential theft, source code exposure, or configuration file access.
Technical ContextAI
h2o-3 is an open-source machine learning platform written in Java. The vulnerability exists in water.persist.PersistNFS.importFiles() within h2o-core, which handles file import operations through the ImportFile API. This component is designed to load datasets from networked filesystems but fails to properly validate or restrict file paths. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating insufficient access controls on file system operations. The CVSS vector confirms network-based exploitation (AV:N) with low complexity (AC:L) requiring no authentication (PR:N) or user interaction (UI:N), targeting confidentiality only (VC:L with no integrity or availability impact).
RemediationAI
No vendor-released patch exists at time of analysis despite early disclosure (vendor non-responsive per VulDB submission 810105). Immediate compensating controls required: (1) Restrict network access to h2o-3 API endpoints using firewall rules or reverse proxy authentication-allow only trusted IP ranges and authenticated users, though this increases operational overhead for legitimate data science workflows. (2) Deploy h2o-3 behind VPN or private network segments isolated from internet exposure-limits usability for remote teams. (3) Implement application-layer filtering to block or sanitize path traversal sequences in ImportFile API requests-requires custom middleware and may break legitimate import functionality if paths contain '..' legitimately. (4) Monitor access logs for ImportFile API calls with suspicious file paths (e.g., /etc/passwd, .ssh/, .aws/, config files)-detection-only, does not prevent exploitation. (5) If feasible, disable the ImportFile API entirely and use alternative data ingestion methods-eliminates attack surface but requires workflow changes. Exploit details available at https://vulnplus-note.wetolink.com/share/wWjmsfKHRJi3 should inform detection rule creation. Organizations must accept residual risk or migrate to alternative ML platforms until h2oai provides an official fix.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30694
GHSA-2g37-rjvj-534q