FoF Pretty Mail 1.1.2 Server Side Template Injection via Email Template Settings

Advisories

severity: high
date: December 11, 2025
Affecting: FriendsofFlarum Pretty Mail 1.1.2
CVE: CVE-2024-58303
CWE: CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine (SSTI)
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51948
Flarum Homepage
Pretty Mail GitHub Repository
Credit: Chokri Hammedi
Description: FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.