Critical severityNVD Advisory· Published Feb 4, 2026· Updated Feb 5, 2026
JinJava Bypass through ForTag leads to Arbitrary Java Execution
CVE-2026-25526
Description
JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.hubspot.jinjava:jinjavaMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
com.hubspot.jinjava:jinjavaMaven | < 2.7.6 | 2.7.6 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/kayenta-2025.0pkg:apk/chainguard/kayenta-2025.1pkg:apk/chainguard/kayenta-2025.2pkg:apk/chainguard/kayenta-fips-2025.0pkg:apk/chainguard/kayenta-fips-2025.1pkg:apk/chainguard/kayenta-fips-2025.2pkg:apk/chainguard/wso2ispkg:maven/com.hubspot.jinjava/jinjava
< 2025.0.8-r6+ 7 more
- (no CPE)range: < 2025.0.8-r6
- (no CPE)range: < 2025.1.6-r4
- (no CPE)range: < 2025.2.3-r3
- (no CPE)range: < 2025.0.8-r7
- (no CPE)range: < 2025.1.6-r3
- (no CPE)range: < 2025.2.3-r3
- (no CPE)range: < 7.3.0-r0
- (no CPE)range: >= 2.8.0, < 2.8.3
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-gjx9-j8f8-7j74ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25526ghsaADVISORY
- github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3ghsax_refsource_MISCWEB
- github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.