PYSEC-2026-1441

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/h2o/PYSEC-2026-1441.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1441
Aliases
Published
2026-07-07T14:34:57.173944Z
Modified
2026-07-07T17:46:12.517317926Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
H2O Vulnerable to Arbitrary File Overwrite
Details

In h2oai/h2o-3 version 3.46.0, the /99/Models/{name}/json endpoint allows for arbitrary file overwrite on the target server. The vulnerability arises from the exportModelDetails function in ModelsHandler.java, where the user-controllable mexport.dir parameter is used to specify the file path for writing model details. This can lead to overwriting files at arbitrary locations on the host system.

References

Affected packages

PyPI / h2o

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.10.4.1
Last affected
3.46.0

Affected versions

3.*
3.10.4.1
3.10.4.2
3.10.4.3
3.10.4.4
3.10.4.6
3.10.4.8
3.16.0.1
3.16.0.2
3.16.0.3
3.16.0.4
3.18.0.1
3.18.0.2
3.18.0.3
3.18.0.4
3.18.0.5
3.18.0.6
3.18.0.7
3.18.0.8
3.18.0.9
3.18.0.10
3.18.0.11
3.20.0.4
3.20.0.5
3.20.0.6
3.20.0.7
3.20.0.8
3.22.0.1
3.22.0.2
3.22.0.3
3.22.0.4
3.22.0.5
3.22.1.1
3.22.1.2
3.22.1.3
3.22.1.4
3.22.1.5
3.22.1.6
3.24.0.1
3.24.0.2
3.24.0.3
3.24.0.4
3.24.0.5
3.26.0.1
3.26.0.2
3.26.0.3
3.26.0.4
3.26.0.5
3.26.0.6
3.26.0.8
3.26.0.9
3.26.0.10
3.26.0.11
3.28.0.1
3.28.0.2
3.28.0.3
3.28.1.2
3.28.1.3
3.30.0.1
3.30.0.2
3.30.0.3
3.30.0.4
3.30.0.5
3.30.0.6
3.30.0.7
3.30.1.1
3.30.1.2
3.30.1.3
3.32.0.2
3.32.0.3
3.32.0.4
3.32.0.5
3.32.1.1
3.32.1.2
3.32.1.3
3.32.1.4
3.32.1.5
3.32.1.6
3.32.1.7
3.34.0.3
3.34.0.7
3.34.0.8
3.36.0.2
3.36.0.3
3.36.0.4
3.36.1.1
3.36.1.2
3.36.1.3
3.36.1.4
3.36.1.5
3.38.0.1
3.38.0.2
3.38.0.3
3.38.0.4
3.40.0.1
3.40.0.2
3.40.0.3
3.40.0.4
3.42.0.1
3.42.0.2
3.42.0.3
3.42.0.4
3.44.0.1
3.44.0.2
3.44.0.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/h2o/PYSEC-2026-1441.yaml"