CVE-2026-25526 CRITICAL

CVE-2026-25526: JinJava Bypass through ForTag leads to Arbitrary Java Execution

Vendor Hubspot

Product jinjava

Weakness CWE-1336

Published February 4, 2026

Last update February 5, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Key dates

Disclosure timeline

February 4, 2026 CVE published

February 5, 2026 Record updated

Identifiers

CVE CVE-2026-25526

CWE CWE-1336

CVSS 9.8 / CRITICAL

Affected versions

Vendor Hubspot

Product jinjava

Affected < 2.7.6

Vendor Hubspot

Product jinjava

Affected < 2.8.3