PT-2025-36514 · Maho · Maho
D-Xuan
·
Published
2025-09-08
·
Updated
2025-09-09
·
CVE-2025-58449
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions:
Maho versions prior to 25.9.0
Description:
Maho is a free and open source ecommerce platform. An authenticated staff user with access to the
Dashboard and CatalogManage Products permissions can create a custom option on a listing with a file input field. By allowing file uploads with a .php extension, the user can upload malicious PHP files, gaining remote code execution.Recommendations:
Update to version 25.9.0 or later.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Maho