VYPR
Vendor

FriendsOfFlarum

Products
3
CVEs
7
Across products
7
Status
Private

Products

3

Recent CVEs

7
  • CVE-2024-58303HigDec 11, 2025
    risk 0.56cvss epss 0.01

    FoF Pretty Mail 1.1.2 contains a server-side template injection vulnerability that allows administrative users to inject malicious code into email templates. Attackers can execute system commands by inserting crafted template expressions that trigger arbitrary code execution…

  • CVE-2024-58302MedDec 11, 2025
    risk 0.45cvss epss 0.00

    FoF Pretty Mail 1.1.2 contains a local file inclusion vulnerability that allows administrative users to include arbitrary server files in email templates. Attackers can exploit the template settings by inserting file inclusion payloads to read sensitive system files like…

  • CVE-2022-35921Aug 1, 2022
    risk 0.00cvss epss 0.00

    fof/byobu is a private discussions extension for Flarum forum. Affected versions were found to not respect private discussion disablement by users. Users of Byobu should update the extension to version 1.1.7, where this has been patched. Users of Byobu with Flarum 1.0 or 1.1…

  • CVE-2022-30999May 25, 2022
    risk 0.00cvss epss 0.01

    FriendsofFlarum (FoF) Upload is an extension that handles file uploads intelligently for your forum. If FoF Upload prior to version 1.2.3 is configured to allow the uploading of SVG files ('image/svg+xml'), navigating directly to an SVG file URI could execute arbitrary…

  • CVE-2020-7875Oct 28, 2021
    risk 0.00cvss epss 0.01

    DEXT5 Upload 5.0.0.117 and earlier versions contain a vulnerability, which could allow remote attacker to download and execute remote file by setting the argument, variable in the activeX module. This can be leveraged for code execution.

  • CVE-2020-7808May 21, 2020
    risk 0.00cvss epss 0.01

    In RAONWIZ K Upload v2018.0.2.51 and prior, automatic update processing without integrity check on update module(web.js) allows an attacker to modify arguments which causes downloading a random DLL and injection on it.

  • CVE-2019-7306Apr 17, 2020
    risk 0.00cvss epss 0.02

    Byobu Apport hook may disclose sensitive information since it automatically uploads the local user's .screenrc which may contain private hostnames, usernames and passwords. This issue affects: byobu