CVE-2024-58303: FoF Pretty Mail has a server-side template injection vulnerability

December 12, 2025

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

References

flarum.org/
github.com/FriendsOfFlarum/pretty-mail
github.com/advisories/GHSA-947q-2xw3-gx9c
nvd.nist.gov/vuln/detail/CVE-2024-58303
www.exploit-db.com/exploits/51948
www.vulncheck.com/advisories/fof-pretty-mail-server-side-template-injection-via-email-template-settings

Code Behaviors & Features

Detect and mitigate CVE-2024-58303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →