CVE-2024-58303

HIGH

FoF Pretty Mail 1.1.2 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58303. PoCs published by Chokri Hammedi.

AI-analyzed exploit summary This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in FoF Pretty Mail 1.1.2, allowing an attacker with administrative access to execute arbitrary system commands via crafted template variables.

Description

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

Exploits (1)

exploitdb WORKING POC
by Chokri Hammedi · textwebappsphp
https://www.exploit-db.com/exploits/51948

This exploit demonstrates a Server-Side Template Injection (SSTI) vulnerability in FoF Pretty Mail 1.1.2, allowing an attacker with administrative access to execute arbitrary system commands via crafted template variables.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: FoF Pretty Mail 1.1.2
Auth required
Prerequisites: Administrative access to the Flarum forum · FoF Pretty Mail extension installed and configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v4 8.6
EPSS 0.0002
EPSS Percentile 7.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-1336
Status published
Products (2)
Flarum/FriendsofFlarum Pretty Mail 1.1.2
fof/pretty-mail 0Packagist
Published Dec 11, 2025
Tracked Since Feb 18, 2026