Description

Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue.

INFO

Published Date :

2025-09-08T21:27:55.103Z

Last Modified :

2025-09-09T13:30:56.695Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58449 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58449.

URL Resource
https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53 cve-icon cve-icon
https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability