CVE-2026-25526 (GCVE-0-2026-25526)
Vulnerability from cvelistv5 – Published: 2026-02-04 21:26 – Updated: 2026-02-05 21:01
VLAI?
Title
JinJava Bypass through ForTag leads to Arbitrary Java Execution
Summary
JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
Severity ?
9.8 (Critical)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T21:00:49.634832Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T21:01:00.454Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jinjava",
"vendor": "HubSpot",
"versions": [
{
"status": "affected",
"version": "\u003c 2.7.6"
},
{
"status": "affected",
"version": "\u003c 2.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T21:26:58.572Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74"
},
{
"name": "https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998"
},
{
"name": "https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441"
},
{
"name": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6"
},
{
"name": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3"
}
],
"source": {
"advisory": "GHSA-gjx9-j8f8-7j74",
"discovery": "UNKNOWN"
},
"title": "JinJava Bypass through ForTag leads to Arbitrary Java Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25526",
"datePublished": "2026-02-04T21:26:58.572Z",
"dateReserved": "2026-02-02T19:59:47.372Z",
"dateUpdated": "2026-02-05T21:01:00.454Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25526\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-04T22:15:59.510\",\"lastModified\":\"2026-02-20T21:00:42.130\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.\"},{\"lang\":\"es\",\"value\":\"JinJava es un motor de plantillas basado en Java, basado en la sintaxis de plantillas de Django, adaptado para renderizar plantillas Jinja. Antes de las versiones 2.7.6 y 2.8.3, JinJava es vulnerable a la ejecuci\u00f3n arbitraria de Java a trav\u00e9s de un bypass mediante ForTag. Esto permite la instanciaci\u00f3n arbitraria de clases Java y el acceso a archivos eludiendo las restricciones de sandbox integradas. Este problema ha sido parcheado en las versiones 2.7.6 y 2.8.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1336\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.7.6\",\"matchCriteriaId\":\"BC9EFEAD-5907-4796-A5F8-401DF7A9319A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.8.0\",\"versionEndExcluding\":\"2.8.3\",\"matchCriteriaId\":\"959D6165-C81D-4F46-B188-E1B1BAEA5266\"}]}]}],\"references\":[{\"url\":\"https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25526\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-05T21:00:49.634832Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-05T21:00:55.395Z\"}}], \"cna\": {\"title\": \"JinJava Bypass through ForTag leads to Arbitrary Java Execution\", \"source\": {\"advisory\": \"GHSA-gjx9-j8f8-7j74\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"HubSpot\", \"product\": \"jinjava\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.7.6\"}, {\"status\": \"affected\", \"version\": \"\u003c 2.8.3\"}]}], \"references\": [{\"url\": \"https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74\", \"name\": \"https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998\", \"name\": \"https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441\", \"name\": \"https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6\", \"name\": \"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3\", \"name\": \"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1336\", \"description\": \"CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-04T21:26:58.572Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25526\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-05T21:01:00.454Z\", \"dateReserved\": \"2026-02-02T19:59:47.372Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-04T21:26:58.572Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…