CVE-2026-25526

EPSS 0.04%
Veröffentlicht 04.02.2026 21:26:58
Zuletzt bearbeitet 20.02.2026 21:00:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Hubspot ≫ Jinjava Version < 2.7.6

Hubspot ≫ Jinjava Version >= 2.8.0 < 2.8.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.11

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74

Patch

Vendor Advisory

https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998

Patch

https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441

Patch

https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6

Product

Release Notes

https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3

Product