CVE-2025-58449 - Vulnerability Details - OpenCVE

Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements Present

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53
https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp

History

Mon, 08 Sep 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue.
Title		Maho Vulnerable to Authenticated Remote Code Execution via File Upload
Weaknesses		CWE-646
References		https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53 https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-09-08T21:27:55.103Z

Updated: 2025-09-08T21:27:55.103Z

Reserved: 2025-09-01T20:03:06.533Z

Link: CVE-2025-58449

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-09-08T22:15:34.423

Modified: 2025-09-08T22:15:34.423

Link: CVE-2025-58449

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-58449", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-01T20:03:06.533Z", "datePublished": "2025-09-08T21:27:55.103Z", "dateUpdated": "2025-09-08T21:27:55.103Z"}, "containers": {"cna": {"title": "Maho Vulnerable to Authenticated Remote Code Execution via File Upload", "problemTypes": [{"descriptions": [{"cweId": "CWE-646", "lang": "en", "description": "CWE-646: Reliance on File Name or Extension of Externally-Supplied File", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp"}, {"name": "https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53", "tags": ["x_refsource_MISC"], "url": "https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53"}], "affected": [{"vendor": "MahoCommerce", "product": "maho", "versions": [{"version": "< 25.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-09-08T21:27:55.103Z"}, "descriptions": [{"lang": "en", "value": "Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue."}], "source": {"advisory": "GHSA-vgmm-27fc-vmgp", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Maho is a free and open source ecommerce platform. In Maho prior to 25.9.0, an authenticated staff user with access to the `Dashboard` and `Catalog\\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution. Version 25.9.0 fixes the issue."}], "id": "CVE-2025-58449", "lastModified": "2025-09-08T22:15:34.423", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-09-08T22:15:34.423", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MahoCommerce/maho/commit/db54a1b44e9b3fd26b27ca4d5ece0af99c4dcb53"}, {"source": "security-advisories@github.com", "url": "https://github.com/MahoCommerce/maho/security/advisories/GHSA-vgmm-27fc-vmgp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-646"}], "source": "security-advisories@github.com", "type": "Primary"}]}