GHSA-M49C-G9WR-HV6V jinjava has Sandbox Bypass via JavaType-Based Deserialization

Summary jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass, and block instantiation of Class objects. However, these protections can be bypassed. By using mapper.getTypeFactory.constructFromCanonical, it is possible to instruct the underlying...

cn.sliew:carp-framework-template-jinja (>=0.0.80 <=0.0.89), cn.sliew:flinkful-kubernetes-controller (>=1.0.6 <=1.0.7) +11 more potentially affected by CVE-2025-59340 via com.hubspot.jinjava:jinjava (=2.8.0)

com.hubspot.jinjava:jinjava MAVEN version =2.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on com.hubspot.jinjava:jinjava and may be impacted: - cn.sliew:carp-framework-template-jinja =0.0.80, =1.0.6, =1.0.6, =1.0.6, =1.1, =1.19.4, =1.19.4, =1.19.4,...

PT-2025-38270

Name of the Vulnerable Software and Affected Versions jinjava versions prior to 2.8.1 Description jinjava is a Java-based template engine. A sandbox escape flaw exists due to unrestricted interaction with the properties of JinjavaInterpreter instances, specifically through the ObjectMapper. By...

HubSpot Jinjava 安全漏洞

HubSpot Jinjava is an application by the individual developers of HubSpotn in the United States. It provides a Java-based template templating engine, based on Django template syntax, suitable for rendering jinja templates. A security vulnerability exists in HubSpot Jinjava versions prior to 2.8.1...

CVE-2020-12668

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

Oracle GoldenGate (Oct 2022 CPU)

The version of GoldenGate installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2022 CPU advisory. - Vulnerability in Oracle GoldenGate component: Oracle GoldenGate Microservices Dell BSAFE Micro Edition Suite. The supported version that is affected is...

GHSA-2HJR-FG6C-V2H6 Unauthorized access to Class instance in Jinjava

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

Unauthorized access to Class instance in Jinjava

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

com.ancientlightstudios:simplegen (>=1.0.2 <=2.1.1), com.ancientlightstudios:simplegen-maven-plugin (>=1.0.2 <=2.1.1) +225 more potentially affected by CVE-2020-12668 via com.hubspot.jinjava:jinjava (>=1.0.3 <=2.5.3)

com.hubspot.jinjava:jinjava MAVEN version =1.0.3, =1.0.2, =1.0.2, =2.2.0, =0.8.0, =0.8.0, =0.10.5 and more Source cves: CVE-2020-12668 Source advisory: OSV:GHSA-2HJR-FG6C-V2H6...

Arbitrary Code Execution

jinjava is vulnerable to arbitrary code execution. An attacker is able to gain access to arbitrary classes via objects that are passed to the Jinjava context through the application class loader...

CVE-2020-12668

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

CVE-2020-12668

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

Arbitrary file deletion

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

CVE-2020-12668

Jinjava before 2.5.4 allow access to arbitrary classes by calling Java methods on objects passed into a Jinjava context. This could allow for abuse of the application class loader, including Arbitrary File Disclosure...

CVE-2020-12668

This entry concerns Jinjava prior to version 2.5.4 where callers can trigger access to arbitrary Java classes by invoking methods on objects supplied in the Jinjava context. The underlying issue is misuse of the application class loader, enabling scenarios like Arbitrary File Disclosure. Public r...

HubSpot Jinjava Information Disclosure Vulnerability

HubSpot Jinjava is a U.S. HubSpotn individual developers of a software application . Provides a Java-based template template engine , based on Django template syntax , suitable for rendering jinja templates . A security vulnerability exists in Jinjava. The vulnerability stems from allowing access...

com.ancientlightstudios:simplegen (>=1.0.2 <=1.0.8), com.ancientlightstudios:simplegen-maven-plugin (>=1.0.2 <=1.0.8) +26 more potentially affected by CVE-2018-18893 via com.hubspot.jinjava:jinjava (>=1.0.3 <=2.4.12)

com.hubspot.jinjava:jinjava MAVEN version =1.0.3, =1.0.2, =1.0.2, =0.1.0, =2.5.5, =0.4.2, =0.1.0, =1.45.0, =1.70.0 and more Source cves: CVE-2018-18893 Source advisory: OSV:GHSA-45R8-3495-X6RM...

GHSA-45R8-3495-X6RM Jinjava calls getClass

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java...

Jinjava calls getClass

Jinjava before 2.4.6 does not block the getClass method, related to com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java...

Unsafe Function Usage

jinjava does not disallow the use of unsafe functions and is potentially vulnerable to remote code execution. The getClass method is not blocked in com/hubspot/jinjava/el/ext/JinjavaBeanELResolver.java, which could potentially allow an attacker to execute arbitrary Java or OS commands using...