Remote Code Execution Vulnerability in Maho Ecommerce Platform
CVE-2025-58449

8.7HIGH

Key Information:

Vendor: Mahocommerce
Status: Maho
Vendor: CVE Published:; 8 September 2025

🔔 Create Mahocommerce Vulnerability Alert

What is CVE-2025-58449?

Maho, an open-source ecommerce platform, prior to version 25.9.0, is susceptible to a remote code execution vulnerability. Authenticated staff users with access to the Dashboard and Catalog: Manage Products permissions can exploit the issue by uploading files with a .php extension. This oversight allows the execution of arbitrary PHP code, potentially giving attackers control over the server. Version 25.9.0 includes a fix for this vulnerability, addressing the file upload feature to enhance security.

Affected Version(s)

maho < 25.9.0

References

https://github.com/MahoCommerce/maho/security/advisories/...

x_refsource_CONFIRM

https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Sep 1, 2025