CRITICAL🇵🇱 Wersja polska

CVE-2026-25526

CVSS 9.8v3.1pub. 2026-02-04upd. 2026-02-20

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

🤖 AI Analysis
How it works

The vulnerability (CWE-1336 — improper neutralization of special elements in template engine) consists in the ForTag mechanism not being properly restricted by the template engine's sandbox. An attacker can craft a malicious template containing a ForTag construct that bypasses built-in restrictions and enables direct instantiation of arbitrary Java classes. As a result, access to files on the server and execution of arbitrary code in the application context are possible.

Impact

An unauthenticated attacker can remotely execute arbitrary Java code on the server (RCE), instantiate arbitrary Java classes, and gain unauthorized access to files — leading to complete takeover of the application and potentially the operating system.

Mitigation & patch

HubSpot JinJava should be updated to version 2.7.6 or 2.8.3, in which the vulnerability has been fixed. Fix commits are available in the project's GitHub repository (3d02e504 and c7328dce). If immediate update is not possible, processing of untrusted templates by the template engine should be disabled.

Who is affected

HubSpot JinJava in versions prior to 2.7.6 and prior to 2.8.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Hubspot Jinjava

    APP
    Hubspot
    < 2.7.62.8.0 – 2.8.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-59340CRITICAL9.8PL ✓ten sam produkt

HubSpot Jinjava — ucieczka z sandbox i RCE przez deserializację szablonów

CVE-2020-12668MEDIUM6.5ten sam produkt

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjav...

CVE-2018-18893MEDIUM5.3ten sam produkt

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELRe...

CVE-2022-1239HIGH8.8ten sam vendor

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, w...

CVE-2017-16035HIGH8.1ten sam vendor

The hubl-server module is a wrapper for the HubL Development Server. During installation hubl-server downloads...