Which versions of H2O-3 are affected by EUVD-2026-30697?

CVE-2026-8751 is a critical remote code execution vulnerability in H2O-3 (versions ≤7402) that allows unauthenticated attackers to execute arbitrary code by submitting malicious files to the…

Is there a public PoC exploit available for EUVD-2026-30697?

Yes, a public proof-of-concept exploit is available for EUVD-2026-30697. Prioritise patching immediately. EPSS: 0.0%.

H2O-3 EUVD-2026-30697

Q: What is the CVSS score of EUVD-2026-30697?

EUVD-2026-30697 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-8751 MEDIUM

Deserialization of Untrusted Data (CWE-502)

2026-05-17 VulDB

GHSA-gvx7-3472-56wj

Java Deserialization

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

May 17, 2026 - 12:22 NVD

HIGH MEDIUM

CVSS changed

May 17, 2026 - 12:22 NVD

7.3 (HIGH) 5.5 (MEDIUM)

Analysis Generated

May 17, 2026 - 12:01 vuln.today

DescriptionNVD

A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Deserialization vulnerability in H2O-3 machine learning platform versions up to 7402 enables remote code execution through the importBinaryModel function when processing malicious JAR files. The vulnerability allows unauthenticated remote attackers to execute arbitrary code with publicly available exploit code (CVSS 7.3, EPSS not provided). …

RemediationAI

Within 24 hours: Identify all systems running H2O-3 versions 7402 and earlier; disable or restrict network access to the importBinaryModel API endpoint immediately. Within 7 days: Evaluate migration to alternative ML platforms or isolated H2O-3 instances in air-gapped environments; contact H2O vendor directly to escalate patch development. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-30697 vulnerability details – vuln.today

Back

H2O-3 EUVD-2026-30697

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

H2O-3 EUVD-2026-30697

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code