H2

This hub aggregates every CVE we track for H2, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 9 most recently published vulnerabilities affecting H2.

• CVE-2025-57804h2 allows HTTP Request Smuggling due to illegal characters in headers5.3Aug 25, 2025
• BDU:2024-02703Уязвимость библиотеки h2 языка программирования Rust в среде Tokio, связанная с неограниченным распределением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании5.3Apr 6, 2024
• CVE-2023-26964An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occurs when the H2 component processes HTTP2 RST_STREAM frames. As a result, the memory and CPU usage are high which can lead to a...7.5Apr 11, 2023
• CVE-2022-45868The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the w...8.4Nov 23, 2022
• CVE-2022-23221H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a ...9.8Jan 19, 2022
• CVE-2021-42392The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading...9.8Jan 7, 2022
• CVE-2021-23463XML External Entity (XXE) Injection8.1Dec 10, 2021
• CVE-2018-14335An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake databa...6.5Jul 24, 2018
• CVE-2018-10054H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. NOTE: the vendor's position is "h2 is not desig...8.8Apr 11, 2018