cbcvebase.
CVE-2024-5986
published 2026-02-02

CVE-2024-5986: A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the…

PriorityP265critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
EPSS
0.63%
45.6th percentile
A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files.

Affected

2 ranges
VendorProductVersion rangeFixed in
h2oh2o0 – 3.46.0.1
h2oaih2oai_h2o-3unspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/3/Parse
url/3/Frames/framename/export
  • Monitor HTTP requests to the /3/Parse endpoint for attacker-controlled header injection into empty files, which is the first stage of the exploit chain.
  • Monitor HTTP requests to the /3/Frames/framename/export endpoint for attempts to export frames to sensitive filesystem paths (e.g., SSH keys, script files), which is the second stage of the exploit chain enabling arbitrary file write.
  • Alert on any h2o-3 process writing to sensitive paths (e.g., ~/.ssh/, cron directories, shell scripts) as this indicates successful exploitation of the arbitrary file write primitive.
  • ·The vulnerability affects h2o-3 version 3.46.0.1 specifically; confirm the deployed version before applying detections.
  • ·Both the /3/Parse and /3/Frames/framename/export endpoints must be accessible to remote attackers for the full exploit chain to succeed; restricting network access to these endpoints reduces exposure.
  • ·No fix was available as of the published date (Feb 03, 2026) for both Maven and pip distributions of h2o.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.