VYPR
Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026

JinJava Bypass through ForTag leads to Arbitrary Java Execution

CVE-2026-25526

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.hubspot.jinjava:jinjavaMaven
>= 2.8.0, < 2.8.32.8.3
com.hubspot.jinjava:jinjavaMaven
< 2.7.62.7.6

Affected products

9

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.