CVE-2026-25526

9.8 CRITICAL
Published: February 04, 2026 Modified: February 20, 2026
View on NVD

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
Source: security-advisories@github.com
Patch
https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
Source: security-advisories@github.com
Patch
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
Source: security-advisories@github.com
Product Release Notes
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
Source: security-advisories@github.com
Product Release Notes
https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
Source: security-advisories@github.com
Patch Vendor Advisory

5 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
0.0%
12th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-1336

Affected Vendors

hubspot

Related CVEs

CVE-2026-33179 5.5
CVE-2026-33165 5.5
CVE-2026-33164 N/A
CVE-2026-33156 7.8
CVE-2026-33155 N/A