CVE-2025-58449: Maho is Vulnerable to Authenticated Remote Code Execution via File Upload

September 9, 2025

In Maho 25.7.0, an authenticated staff user with access to the Dashboard and Catalog\Manage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can use the filed to upload malicious PHP files, gaining remote code execution

References

github.com/MahoCommerce/maho
github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53
github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp
github.com/advisories/GHSA-vgmm-27fc-vmgp
nvd.nist.gov/vuln/detail/CVE-2025-58449

Code Behaviors & Features

Detect and mitigate CVE-2025-58449 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →