9.8

CVE-2026-25526

JinJava Bypass through ForTag leads to Arbitrary Java Execution

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HubspotJinjava Version < 2.7.6
HubspotJinjava Version >= 2.8.0 < 2.8.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.89% 0.546
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
Patch
Vendor Advisory
https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
Patch
https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
Patch
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
Product
Release Notes
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
Product
Release Notes