# CVE-2026-3960

> Vulnerability · severity: **MEDIUM** (CVSS 5.9).

## Description

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific dangerous parameters. An attacker can bypass these controls by switching the JDBC URL protocol to jdbc:postgresql: and exploiting PostgreSQL JDBC driver-specific parameters such as socketFactory and socketFactoryArg. This allows unauthenticated attackers to execute arbitrary code on the H2O-3 server with the privileges of the H2O-3 process. The issue is resolved in version 3.46.0.10.

## Key facts

- **CVE ID:** CVE-2026-3960
- **Published:** 2026-04-23
- **CVSS severity:** MEDIUM
- **CVSS base score:** 5.9
- **CWE codes:** CWE-94

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3960

## Citation

> AI Analytics. CVE-2026-3960. Retrieved 2026-07-19 from https://api.ai-analytics.org/cve/CVE-2026-3960. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*