EXECUTIVE SUMMARY:
CVE-2026-25526, a critical severity vulnerability affecting the Jinjava template engine. This issue allows a sandbox bypass via ForTag handling, which can result in arbitrary Java code execution. The flaw impacts the com .hubspot .jinjava :jinjava package for versions earlier than 2.7.6, as well as versions 2.8.0 through 2.8.2. It has been assigned a CVSS v3.1 base score of 9.8, reflecting its critical risk level. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges or user interaction required. Successful exploitation can lead to a complete compromise of confidentiality, integrity, and availability. The root cause lies in improper handling of template logic that enables attackers to escape intended security restrictions. Environments processing untrusted templates using affected Jinjava versions are therefore at significant risk.
RECOMMENDATION:
We strongly recommend you update Jinjava to version 2.7.6, 2.8.3, or later.
REFERENCES:
The following reports contain further technical details: