JinJava, a Java-based template engine that emulates Django template syntax, is vulnerable to arbitrary Java execution in versions before 2.7.6 and 2.8.3. An attacker can inject malicious code through a ForTag bypass, allowing the instantiation of arbitrary Java classes and access to files, thus violating the sandboxing restrictions designed to contain template execution. This flaw corresponds to CWE‑1336 and enables attackers to run code with the privileges of the Java process that renders the template.

The affected product is HubSpot's JinJava template engine. All releases of JinJava older than version 2.7.6 and older than 2.8.3 are vulnerable. Administrators using these versions should verify the installed version and plan an upgrade to a patched release.

The CVSS score of 9.8 categorizes the vulnerability as critical, indicating a high risk to confidentiality, integrity, and availability. The EPSS score of less than 1% suggests a low probability of exploitation in the short term, but the flaw is not listed in CISA's KEV catalog, meaning no known active exploitation campaigns are reported yet. Likely attack vectors involve an attacker who can influence the content of a template—such as a user-supplied template or a template stored in a database—to inject ForTag expressions that trigger arbitrary code execution. This inference is based on the description of the vulnerability, as the original data does not detail the exact exploitation method.