PT-2026-53439 · Pypi · H2O
Published
2026-06-29
·
Updated
2026-06-29
CVSS v3.1
9.3
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H |
Remote unauthenticated attackers can overwrite arbitrary server files with attacker-controllable data. The data that the attacker can control is not entirely arbitrary. h2o writes a CSV/XLS/etc file to disk, so the attacker data is wrapped in quotations and starts with "C1", if they're exporting as CSV.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
H2O