CVE-2024-58302

MEDIUM

FoF Pretty Mail 1.1.2 - Local File Inclusion

Title source: llm

Description

FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.

Exploits (1)

exploitdb WRITEUP

by Chokri Hammedi · textwebappsphp

https://www.exploit-db.com/exploits/51947

View Code ZIP pw:eip

References (4)

[Various Sources] https://flarum.org/

[Various Sources] https://github.com/FriendsOfFlarum/pretty-mail

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51947

[Third Party Advisory] https://www.vulncheck.com/advisories/fof-pretty-mail-local-file-inclusion-via-email-template-settings

Scores

CVSS v4 6.9

EPSS 0.0008

EPSS Percentile 22.4%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Details

CWE

CWE-98

Status published

Products (1)

Flarum/FriendsofFlarum Pretty Mail 1.1.2

Published Dec 11, 2025

Tracked Since Feb 18, 2026