CVE-2024-58303

HIGH

FoF Pretty Mail 1.1.2 - Code Injection

Title source: llm

Description

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

Exploits (1)

exploitdb WORKING POC

by Chokri Hammedi · textwebappsphp

https://www.exploit-db.com/exploits/51948

View Code ZIP pw:eip

References (4)

[Various Sources] https://flarum.org/

[Various Sources] https://github.com/FriendsOfFlarum/pretty-mail

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51948

[Third Party Advisory] https://www.vulncheck.com/advisories/fof-pretty-mail-server-side-template-injection-via-email-template-settings

Scores

CVSS v4 8.6

EPSS 0.0004

EPSS Percentile 10.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Details

CWE

CWE-1336

Status published

Products (2)

Flarum/FriendsofFlarum Pretty Mail 1.1.2

fof/pretty-mail 0Packagist

Published Dec 11, 2025

Tracked Since Feb 18, 2026