GHSA-947q-2xw3-gx9c

Source

https://github.com/advisories/GHSA-947q-2xw3-gx9c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-947q-2xw3-gx9c/GHSA-947q-2xw3-gx9c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-947q-2xw3-gx9c

Aliases

CVE-2024-58303

Published

2025-12-12T00:30:21Z

Modified

2025-12-12T16:56:14.962289Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

FoF Pretty Mail has a server-side template injection vulnerability

Details

FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution during email generation.

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2025-12-11T22:15:51Z",
    "github_reviewed_at": "2025-12-12T16:39:19Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-1336"
    ]
}

References

Affected packages

Packagist / fof/pretty-mail

Package

Name: fof/pretty-mail
Purl: pkg:composer/fof/pretty-mail

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.1.2

Affected versions

0.*

0.1.0-beta.1

0.1.0-beta.2

0.1.0-beta.3

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.3.0

0.4.0

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2