CVE-2025-58449 HIGH

CVE-2025-58449: Maho Vulnerable to Authenticated Remote Code Execution via File Upload

Vendor Mahocommerce
Product maho
Weakness CWE-646
Published September 8, 2025
Last update September 9, 2025

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue.

Key dates

02Disclosure timeline

September 8, 2025 CVE published
September 9, 2025 Record updated