Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25526
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-04 Feb, 2026 | 21:26
Updated At-05 Feb, 2026 | 21:01
Rejected At-
▼CVE Numbering Authority (CNA)
JinJava Bypass through ForTag leads to Arbitrary Java Execution

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Affected Products
Vendor
HubSpot
Product
jinjava
Versions
Affected
  • < 2.7.6
  • < 2.8.3
Problem Types
TypeCWE IDDescription
CWECWE-1336CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Type: CWE
CWE ID: CWE-1336
Description: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
x_refsource_CONFIRM
https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
x_refsource_MISC
https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
x_refsource_MISC
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
x_refsource_MISC
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
x_refsource_MISC
Hyperlink: https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
Resource:
x_refsource_MISC
Hyperlink: https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
Resource:
x_refsource_MISC
Hyperlink: https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
Resource:
x_refsource_MISC
Hyperlink: https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found