CVE-2026-25526

CRITICAL EPSS 54.8%
Published Feb 4, 20264mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Feb 4, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
54.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1336

Affected Products 2

VendorProductVersionRange
hubspotjinjava* <2.7.6
hubspotjinjava*≥2.8.0  –  <2.8.3

References 5

  • github.com https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
    Patch
  • github.com https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
    Patch
  • github.com https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
    ProductRelease Notes
  • github.com https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
    ProductRelease Notes
  • github.com https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
    PatchVendor Advisory

Remediation

  • github.com https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
    Patch
  • github.com https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
    Patch
  • github.com https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
    PatchVendor Advisory