CVE-2026-25526
CRITICALJinJava 2.7.0-2.7.5 and 2.8.0-2.8.2 - Remote Code Execution via ForTag Sandbox Bypass
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2026-25526. PoCs published by XiaomingX, av4nth1ka.
AI-analyzed exploit summary The repository contains only a minimal README with no exploit code, technical details, or lab setup instructions. It appears to be a placeholder for a PoC that has not been populated.
Description
JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.
Exploits (2)
The repository contains only a minimal README with no exploit code, technical details, or lab setup instructions. It appears to be a placeholder for a PoC that has not been populated.
This repository contains a functional proof-of-concept exploit for CVE-2026-25526, targeting Jinjava. The exploit demonstrates file content reading, directory listing, and information disclosure via template injection, leveraging Java object manipulation to bypass sandbox restrictions.
References (5)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H