CVE-2020-12668

This entry concerns Jinjava prior to version 2.5.4 where callers can trigger access to arbitrary Java classes by invoking methods on objects supplied in the Jinjava context. The underlying issue is misuse of the application class loader, enabling scenarios like Arbitrary File Disclosure. Public r...

CVE-2018-18893

CVE-2018-18893 affects Jinjava up to version 2.4.5; the vulnerability arises because JinjavaBeanELResolver does not block getClass, enabling potential attacker-controlled object types to influence evaluation. Public references (GHSA, OSV, Veracode) describe risks of remote code execution or arbit...

CVE-2025-59340

Summary: CVE-2025-59340 affects jinjava (Java-based template engine). The issue arises when mapper.getTypeFactory().constructFromCanonical() allows attacker-controlled input to deserialize into arbitrary classes via ObjectMapper, enabling sandbox escape and potential access to local files/URLs (e...

CVE-2026-25526

CVE-2026-25526 affects JinJava, a Java-based template engine that renders Jinja-like templates. The vulnerability allows arbitrary Java execution via bypass through the ForTag, enabling instantiation of arbitrary Java classes and filesystem access, bypassing sandbox restrictions. Red Hat and othe...