CVE-2026-25526

Critical

Published: 04 February 2026

Published

04 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25526 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Hubspot Jinjava. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like this JinJava sandbox escape vulnerability through vendor patches to versions 2.7.6 or 2.8.3.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability scanning to identify the presence of this CVE in deployed JinJava instances, enabling proactive remediation.

SI-4 System Monitoring partial match

detect

Enables monitoring for indicators of exploitation such as anomalous file access or unauthorized Java class instantiations resulting from sandbox bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Remote unauthenticated RCE via public-facing JinJava template engine sandbox escape (T1190) directly enables arbitrary Java code execution (T1059) and unrestricted local file access/operations (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and…

file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3.

Deeper analysisAI

CVE-2026-25526 is a critical vulnerability in JinJava, a Java-based template engine that adapts Django template syntax for rendering Jinja templates. Prior to versions 2.7.6 and 2.8.3, the ForTag implementation allows attackers to bypass built-in sandbox restrictions, enabling arbitrary Java class instantiation and file access. This flaw, classified under CWE-1336 (Improvable Restriction of Excessive Authentication Attempts, though contextually related to sandbox escape), carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe impact potential.

The vulnerability can be exploited remotely by unauthenticated attackers with no user interaction required, due to its network-accessible and low-complexity nature. Successful exploitation grants arbitrary Java code execution within the application's context, allowing attackers to instantiate any Java class and perform unrestricted file operations, effectively defeating JinJava's sandbox protections. This could lead to full system compromise, data exfiltration, or persistence on affected servers processing untrusted templates.

Mitigation is available through upgrading to JinJava versions 2.7.6 or 2.8.3, where the issue has been patched via specific commits (3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998 and c7328dce6030ac718f88974196035edafef24441). The HubSpot security advisory (GHSA-gjx9-j8f8-7j74) and release notes detail these fixes, recommending immediate updates for all deployments using vulnerable versions.

Details

CWE(s): CWE-1336

Affected Products

hubspot

jinjava

≤ 2.7.6 · 2.8.0 — 2.8.3

CVEs Like This One

CVE-2025-59340Same product: Hubspot Jinjava

CVE-2025-1040Shared CWE-1336

CVE-2024-54954Shared CWE-1336

CVE-2025-53833Shared CWE-1336

CVE-2024-57177Shared CWE-1336

CVE-2026-26938Shared CWE-1336

CVE-2026-21449Shared CWE-1336

CVE-2025-49828Shared CWE-1336

CVE-2026-34587Shared CWE-1336

CVE-2025-53909Shared CWE-1336

References

https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998
Patch · security-advisories@github.com
https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441
Patch · security-advisories@github.com
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6
Product, Release Notes · security-advisories@github.com
https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3
Product, Release Notes · security-advisories@github.com
https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74
Patch, Vendor Advisory · security-advisories@github.com