jinjava is vulnerable to arbitrary code execution. An attacker is able to gain access to arbitrary classes via objects that are passed to the Jinjava context through the application class loader.
github.com/HubSpot/jinjava/compare/jinjava-2.5.3...jinjava-2.5.4
github.com/HubSpot/jinjava/pull/426/commits/5dfa5b87318744a4d020b66d5f7747acc36b213b
github.com/HubSpot/jinjava/pull/435
github.com/HubSpot/jinjava/pull/435/commits/1b9aaa4b420c58b4a301cf4b7d26207f1c8d1165
github.com/HubSpot/jinjava/releases/tag/jinjava-2.5.4
securitylab.github.com/advisories/GHSL-2020-072-hubspot_jinjava