A vulnerability classified as critical has been found in h2oai h2o-3 up to 3.46.0.9/3.46.0.10 . Affected is the function jdbc:postgresql of the file /99/ImportSQLTable of the component REST API Endpoint . Performing a manipulation results in code injection. This vulnerability is reported as CVE-2026-3960 . The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.