cvedb.io
CVE-2026-25526
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2026-02-04T22:15:59.510 · Last modified 2026-06-17T10:24:47.677

Summary

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Affected products

hubspot — jinjava

Does this affect you?

Add your gear to cvedb and we'll alert you only when hubspot ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.