FKIE_CVE-2026-25526

Vulnerability from fkie_nvd - Published: 2026-02-04 22:15 - Updated: 2026-02-20 21:00
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
References
security-advisories@github.comhttps://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998Patch
security-advisories@github.comhttps://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441Patch
security-advisories@github.comhttps://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6Product, Release Notes
security-advisories@github.comhttps://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3Product, Release Notes
security-advisories@github.comhttps://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74Patch, Vendor Advisory
Impacted products
Vendor Product Version
hubspot jinjava *
hubspot jinjava *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BC9EFEAD-5907-4796-A5F8-401DF7A9319A",
              "versionEndExcluding": "2.7.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "959D6165-C81D-4F46-B188-E1B1BAEA5266",
              "versionEndExcluding": "2.8.3",
              "versionStartIncluding": "2.8.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3."
    },
    {
      "lang": "es",
      "value": "JinJava es un motor de plantillas basado en Java, basado en la sintaxis de plantillas de Django, adaptado para renderizar plantillas Jinja. Antes de las versiones 2.7.6 y 2.8.3, JinJava es vulnerable a la ejecuci\u00f3n arbitraria de Java a trav\u00e9s de un bypass mediante ForTag. Esto permite la instanciaci\u00f3n arbitraria de clases Java y el acceso a archivos eludiendo las restricciones de sandbox integradas. Este problema ha sido parcheado en las versiones 2.7.6 y 2.8.3."
    }
  ],
  "id": "CVE-2026-25526",
  "lastModified": "2026-02-20T21:00:42.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-04T22:15:59.510",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1336"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.