← back
CVE-2024-58302

FoF Pretty Mail 1.1.2 Local File Inclusion via Email Template Settings

CVSS 6.9 MEDIUMEPSS 0.3%CWE-98
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Dec 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like /etc/passwd during email generation.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
Flarum · FriendsofFlarum Pretty Mail

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://flarum.org/https://github.com/FriendsOfFlarum/pretty-mailhttps://www.exploit-db.com/exploits/51947https://www.vulncheck.com/advisories/fof-pretty-mail-local-file-inclusion-via-email-template-settings