CVE-2025-58449
CVE-2025-58449 affects Maho prior to 25.9.0. An authenticated staff user with Dashboard and Catalog\Manage Products permissions can create a custom option with a file input and, by whitelisting a ".php" extension, upload PHP files that are written to a predictable webroot path and can be executed...