CVE-2026-25526: Critical Jinjava Flaw (CVSS 9.8) Permits Remote Code Execution

A massive hole has been found in the walls of Jinjava, the popular Java-based template engine used to power thousands of websites on the HubSpot CMS. Tracked as CVE-2026-25526, this critical vulnerability carries a near-maximum CVSS score of 9.8, allowing attackers to bypass safety sandboxes and execute arbitrary Java code on the server.

The vulnerability is a nightmare scenario for any platform that allows users to customize their own templates. Ordinarily, Jinjava is designed to run untrusted code safely by restricting what it can access. This flaw, however, breaks those handcuffs entirely.

The core of the issue lies in how the engine handles loops and object creation. The vulnerability is actually a “chain” of bypasses that dismantle the engine’s security layers.

First, the ForTag class—used to iterate over lists or items—failed to check ID at the door. The advisory explains: “The ForTag class does not enforce Jinjava Bean ELResolver restrictions when iterating over object properties using Introspector.getBeanInfo()”.

This oversight allowed attackers to invoke “getter” methods that should have been off-limits, effectively letting them peek into parts of the application memory they were never supposed to see.

The second part of the attack is even more potent. It involves the ObjectMapper, a tool used to convert JSON data into Java objects. Attackers found they could use this tool to sneak in dangerous class types that were supposed to be banned.

“The sandbox’s type allowlist can be bypassed by using ObjectMapper to instantiate classes through JSON deserialization,” the report states.

By combining these techniques, an attacker with the ability to edit a template could instantiate a “new JinjavaConfig or JinjavaELContext”, effectively rewriting the rules of the game from the inside out.

The impact of this flaw is severe. It allows for “Arbitrary Java Execution”, meaning an attacker could potentially read sensitive files, modify data, or crash the service.

The maintainers have released a comprehensive fix that adds security checks to the ForTag renderer and tightens the leash on the ObjectMapper.

Organizations using Jinjava are urged to upgrade immediately. “Upgrade to version 2.8.3 or 2.7.6 or later to address this vulnerability,” the advisory warns.

Related Posts:

• Critical Elastic Cloud Flaw: CVE-2025-37729 (CVSS 9.1) Allows RCE via Jinjava Template Injection
• CVE-2025-59340: Critical HubSpot’s Jinjava Engine Flaw Exposes Thousands of Websites to RCE
• Widespread Outage: CrowdStrike Update Affects 8.5 Million Windows Users
• Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive