CVE-2026-3960

Name of the Vulnerable Software and Affected Versions H2O-3 versions prior to 3.46.0.10

Description An unauthenticated remote code execution issue exists in the REST API endpoint '/99/ImportSQLTable'. The flaw is caused by insufficient security controls in the parameter blacklist mechanism, which only filters dangerous parameters specific to the MySQL JDBC driver. An attacker can bypass these restrictions by changing the JDBC URL protocol to 'jdbc:postgresql:' and utilizing PostgreSQL JDBC driver-specific parameters, such as socketFactory and socketFactoryArg, to execute arbitrary code on the server with the privileges of the H2O-3 process.

Recommendations Update to version 3.46.0.10.