CVE-2026-25526

CRITICAL

JinJava <2.7.6, <2.8.3 - RCE

Title source: llm

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Exploits (2)

github STUB 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25526

View Code ZIP pw:eip

nomisec WORKING POC

by av4nth1ka · poc

https://github.com/av4nth1ka/jinjava-cve-2026-25526-poc

View Code ZIP pw:eip

References (5)

[Patch] https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998

[Patch] https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441

[Vendor Advisory] https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74

[Release Notes] https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6

[Release Notes] https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3

Scores

CVSS v3 9.8

EPSS 0.0004

EPSS Percentile 12.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1336

Status published

Products (2)

com.hubspot.jinjava/jinjava 2.8.0 - 2.8.3Maven

hubspot/jinjava < 2.7.6

Published Feb 04, 2026

Tracked Since Feb 18, 2026