{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T11:43:35.534","vulnerabilities":[{"cve":{"id":"CVE-2026-25526","sourceIdentifier":"security-advisories@github.com","published":"2026-02-04T22:15:59.510","lastModified":"2026-02-20T21:00:42.130","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3."},{"lang":"es","value":"JinJava es un motor de plantillas basado en Java, basado en la sintaxis de plantillas de Django, adaptado para renderizar plantillas Jinja. Antes de las versiones 2.7.6 y 2.8.3, JinJava es vulnerable a la ejecución arbitraria de Java a través de un bypass mediante ForTag. Esto permite la instanciación arbitraria de clases Java y el acceso a archivos eludiendo las restricciones de sandbox integradas. Este problema ha sido parcheado en las versiones 2.7.6 y 2.8.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-1336"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*","versionEndExcluding":"2.7.6","matchCriteriaId":"BC9EFEAD-5907-4796-A5F8-401DF7A9319A"},{"vulnerable":true,"criteria":"cpe:2.3:a:hubspot:jinjava:*:*:*:*:*:*:*:*","versionStartIncluding":"2.8.0","versionEndExcluding":"2.8.3","matchCriteriaId":"959D6165-C81D-4F46-B188-E1B1BAEA5266"}]}]}],"references":[{"url":"https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74","source":"security-advisories@github.com","tags":["Patch","Vendor Advisory"]}]}}]}