CVE-2026-25526CRITICAL 9.8EPSS p54.6%

CVE-2026-25526CVE-2026-25526

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.89% probability of exploitation · percentile 54.6% · 2026-06-18T12:00:27Z
Published2026-02-04
Last modified2026-02-20

Underlying weaknesses· 1

CWE-1336

References

  1. https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
  2. https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
  3. https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
  4. https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
  5. https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements Used in a Template Enginecwe-13360%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-59340
CVE
CVE-2025-27516
CVE
CVE-2026-33154
CVE
CVE-2025-31722
CVE
CVE-2026-35044
CVE
CVE-2026-45017
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.