CVE- 2026-25526 is a critical vulnerability in Jinjava, the Java-based template engine used by HubSpot CMS, with a near-maximum CVSS score of 9.8 that permits remote code execution. The flaw arises from how Jinjava handles loops and object creation, effectively bypassing the engine’s safety sandboxes and allowing arbitrary Java code to run on affected servers.
According to the article, the issue is a chain of bypasses that undermines the security layers, beginning with the ForTag class failing to enforce restrictions when iterating over properties and enabling the invocation of otherwise restricted getter methods. A second element involves the ObjectMapper tool, which attackers can misuse to deserialise JSON into banned class types, bypassing the sandbox’s type allowlist.
By combining these techniques, an attacker who can edit a template could instantiate JinjavaConfig or JinjavaELContext, rewriting rules from inside the application. Organisations are urged to upgrade to version 2.8.3 or 2.7.6 or later to address this vulnerability.