FoF Pretty Mail, Server-Side Template Injection Vulnerability, High Severity

By /

Listen to this Post

How the mentioned vulnerability works:

The vulnerability in FoF Pretty Mail version 1.1.2 is a server-side template injection (SSTI) that allows administrative users to inject malicious code into email templates. When editing email templates, attackers can insert crafted template expressions that are processed by the template engine during email generation. This occurs because the application fails to properly sanitize or validate user-supplied template input. The template engine, likely based on a scripting language like Python, evaluates these expressions in an unsafe manner. For example, an attacker could inject payloads such as {{ config.items() }} to access configuration data or {{ ”.class.mro[bash].subclasses() }} to traverse object hierarchies and execute system commands. During email rendering, the injected code is interpreted on the server, leading to arbitrary code execution. This vulnerability leverages the template engine’s ability to execute native functions, enabling commands like os.system() or subprocess.call() to run shell commands. Attackers with administrative access can thus compromise the underlying server, steal sensitive data, or deploy malware. The issue stems from mixing dynamic content with template directives without sandboxing or safe evaluation modes, making it critical for applications that handle user-generated templates.

dailycve form:

Platform: FoF Pretty Mail
Version: 1.1.2
Vulnerability: Server-side template injection
Severity: High
date: Dec 12, 2025

Prediction: Patch expected soon

What Undercode Say:

Analytics:

Check for SSTI via curl

curl -X POST http://localhost/email-template -d ‘template={{77}}’

Python SSTI detection snippet

import requests

payload = ‘{{“”.__class__.__mro__[bash].__subclasses__()}}’

response = requests.post(url, data={‘template’: payload})

print(response.text)

How Exploit:

Gain admin access.

Edit email template.

Inject malicious code.

Trigger email generation.

Protection from this CVE

Update software version.

Sanitize template inputs.

Use sandboxed environments.

Impact:

Remote code execution.

System compromise.

Data breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top