These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-8752 is a medium-severity access control weakness reported in h2oai h2o-3 (up to 7402), in the Rapids setproperty primitive handler at AstSetProperty.exec. The source description says the issue can be triggered remotely and that public exploit material is available, which raises the operational risk for exposed deployments even though the base CVSS score is 5.5.
CVE-2026-8751 describes a remotely reachable flaw in h2oai h2o-3 up to 7402, centered on importBinaryModel in h2o-core/src/main/java/hex/Model.java and the JAR handling path. The issue is described as a manipulation that leads to deserialization, and the CVE notes that exploit code has been made public. For defenders, this is most important anywhere binary model imports are exposed to untrusted input or r [truncated]