🎉🎉 Welcome to Maho 26.1.0 "Triple Heart" 🎉🎉
2025 was an outstanding year for Maho. We removed PrototypeJS, jQuery, and all legacy Zend Framework components, replacing them with modern alternatives: Doctrine DBAL for database operations, Symfony for caching and sessions, Monolog for logging, and TipTap as our WYSIWYG editor. We also introduced passkeys authentication, a self-hosted GDPR-compliant captcha, customer segmentation, a blog module, dynamic categories, and official Docker images.
Now we're kicking off 2026 with yet another monumental milestone: multi-database support. For the first time ever, Maho can run on PostgreSQL and SQLite alongside MySQL!
But that's just the beginning. This release also brings passwordless authentication, a complete gift card module, automated product linking rules, dozens of frontend improvements, and full PHP 8.5 compatibility. We've also upgraded to Symfony 7.4 and Emogrifier 8.
26.1.0 is our most feature-rich release yet.
Creating Maho is a massive effort that requires all the help possible, please join our sponsorship program.
It will make all the difference in the world!
Maho rocks! 🚀
https://mahocommerce.com
https://demo.mahocommerce.com
🚀 New features and major improvements
Multi-Database Support
This is the big one. Thanks to our migration to Doctrine DBAL 4.4, Maho now officially supports three database engines: MySQL, PostgreSQL, and SQLite.
PostgreSQL brings enterprise-grade capabilities for high-traffic stores, while SQLite enables lightweight deployments perfect for development, testing, or small shops. In fact, our demo store now runs on SQLite and performance is stellar, with reindex times almost 50% faster than MySQL!
Install with your preferred engine:
./maho install --db_engine mysql # Default
./maho install --db_engine pgsql # PostgreSQL
./maho install --db_engine sqlite # SQLiteMagic Link (Passwordless Login)
Passwords are so 2010. Maho now supports passwordless authentication via secure email links.
Configure two modes:
- Hybrid Mode: Traditional passwords plus optional magic link
- Passwordless Mode: Email-only login/registration with password fields completely hidden
Security features include cryptographically secure 32-character tokens, configurable expiration (default 10 minutes), rate limiting (3 requests/email/hour, 10 requests/IP/hour), and silent failure for non-existent accounts to prevent email enumeration. Zero database changes required. Read the full documentation.
Gift Card Module
A complete gift card system is now built into Maho, contributed by @trabulium!
Features include:
- Create gift card products with fixed or custom amounts
- Apply gift cards at checkout with partial payment support
- Automatic balance tracking with transaction history
- PDF export with QR codes and barcodes (using BaconQrCode and Picqer libraries—no external APIs)
- Email notifications for recipients
- Refund support that credits balances back to cards
Gift cards are a proven revenue driver and customer acquisition tool. Now they're native to Maho. Read the full documentation.
CatalogLinkRule: Automated Product Relationships
Stop manually linking related products, upsells, and cross-sells. The new Maho_CatalogLinkRule module automates product relationships through condition-based rules. Manage your rules in Catalog > Product Relationship Rules.
How it works:
- Define source conditions (e.g., "products in Electronics category over $100")
- Set target conditions for linked products
- Configure sort order (random, price, alphabetical, newest)
- Set maximum link limits and date ranges for seasonal promotions
Rules process via daily cron (3 AM by default) in batches of 100 products. A powerful SourceMatch condition lets you dynamically match target attributes against source attributes.
USPS REST API Migration
USPS is retiring their legacy XML API, so we've migrated to the modern REST API with OAuth 2.0.
New capabilities:
- Shipping label generation (previously unavailable!)
- Enhanced tracking with detailed event history
- ~90% fewer API requests: single call retrieves all rates vs. 10+ calls before
Enhanced Admin Dashboard Analytics
Third-party analytics platforms come with growing legal complexity: GDPR compliance, cross-border data transfer restrictions, cookie consent requirements, and privacy regulations that vary by country. Our enhanced dashboard gives you powerful insights while keeping all data on your own server. No cookie banners, no compliance headaches, no data leaving your infrastructure.
The admin dashboard now includes real-time visitor statistics and new visualization tabs:
- Visitors chart: 30-day trend visualization
- Devices & Browsers: Device breakdown with browser icons
- Engagement: Conversion rates and visitor categorization
- Entry & Exit Pages: Top landing and exit page analysis
- Traffic Sources: Referrer domain breakdown
- Languages: Visitor preferences with flags
Major, but not headline
- AJAX add to cart with offcanvas minicart – Products add without page reloads, minicart slides in automatically
- Unified tabbed login interface – Login, registration, and password recovery combined into one sleek page
- Fullscreen product image gallery – Click to expand with scroll-snap navigation and swipe support
- File attribute type for EAV – Native file uploads for products, categories, customers with automatic orphan cleanup
- Improved layered navigation with price input filter – New tag-based active filters UI and from/to price inputs
- Discount percentage badges on product prices – Visual savings indicators in grid, list, and detail views
- Customizable maintenance page – Store-specific templates with proper 503 headers
- Sample data installation in web installer – One-click demo data with progress tracking
- Varien to Maho namespace migration – 70 files updated from
Varien_*toMaho\*classes
TipTap WYSIWYG: Building towards a page builder
We're continuing to enhance TipTap, laying the groundwork for a full-fledged page builder. This release adds powerful new editing capabilities:
- Multi-column layouts – 6 layout presets (2/3/4 equal columns, sidebar left/right, wide center) with responsive stacking on mobile
- Drag & drop section reordering – Rearrange content blocks visually
- Improved table editing – Dropdown menus for table operations and cell alignment support
- Fixed media browser and widget dialogs – Resolved issues with image insertion and widget handling
Important, but not major
- Refactored web installer UI – Modern HTML5 validation, PostgreSQL/SQLite support, cleaner UX
- Cart shipping estimate form converted to AJAX – No more page reloads for rate calculations
- Modernized product reviews with dialog-based form – Cleaner review submission flow
- Admin toolbar modernized with CSS position: sticky – Replaced 220+ lines of JS with 4 lines of CSS
- Admin image preview using MahoDialog – No more deprecated window.open() popups
- Debounce and request cancellation for autocomplete – 200ms debounce, AbortController for in-flight requests
- Global AJAX loader for frontend – Consistent loading indicator across all async operations
- Parent Products tab in product edit form – See which configurable/grouped products include this simple product
- Improved crosssell layout in checkout – Better visual presentation
- Better checkout first step alignment – Cleaner billing/shipping address layout
- Improved product page buttons layout – Refined add-to-cart area
- Unified cart item options styling with SKU display – Consistent product options presentation
- Improved gift message display in order view – Cleaner customer-facing gift message presentation
- Simplified newsletter subscription page – Streamlined customer account section
New CLI commands
./maho migrate– Run database migrations without admin panel access./maho maintenance:enable/disable/status– Manage maintenance mode with IP whitelisting./maho frontend:theme:create– Scaffold themes with validation and collision detection./maho frontend:layout:debug– Analyze layout handles, XML files, and block trees for any URL
Less important changes and fixes
- Restyled customer menu in backend
- Removed redundant My Account menu from System menu
- Hid unused My Account sidebar links
- Removed "Last Ordered Items" sidebar from My Account
- Disabled slideshow insertion in newsletter template editor
- Removed sample data CSS (moved to sample data repo)
- Added Spanish (Bolivia) to locale configuration
- Added health-check for frontend theme and Varien class usage
- Fixed HTML structure in shipment tracking email template
- Fixed coupon usage tracking for free shipping-only rules
- Fixed rule condition chooser and replaced GIF icons with SVG
- Fixed bug with mass actions after Zend_Controller removal
- Fixed tier price display when some tier prices exceed special price
- Fixed minicart AJAX updates in offcanvas mode
- Fixed missing massDelete action in Cron Jobs controller
- Fixed DateMalformedStringException in isStoreDateInInterval
- Fixed hardcoded table names in Mage_Log setup script
- Fixed
Maho\Db\Exprhandling in database adapters - Fixed db:query and db:connect to respect engine setting
- Fixed symlink "File exists" warning from Symfony cache
- Fixed unnecessary GROUP BY in Flat Category getProductCount()
- Fixed deprecated OTPHP method calls in Auth helper
- Fixed guest order shipping address overwritten during order edit
- Fixed sample data attribute group ID remapping
- Fixed Gift Card order renderer to use joined data
- Fixed duplicate AJAX requests on grid filter keypress
- Fixed infinite redirect loop caused by consecutive slashes in URL
- Fixed sample data import removing core attributes from Default set
Code quality & modernization
- Removed deprecated code from Mage_CatalogInventory_Model_Observer
- Fixed all
function.impossibleTypePHPStan errors - Fixed all
if.alwaysTruePHPStan errors - Removed HTML tables in admin content-header toolbars
- Removed a lot of ancient deprecated code
- Removed all deprecated code until Magento 1.5
- Removed all deprecated Magento code
- Removed all deprecated code older than one year
- Removed unused customer-facing OAuth functionality
- Replaced
Varien_Profilernaming withMaho\Profiler - Replaced legacy GIF icons with SVG and removed unused assets
- Replaced whitelist/blacklist with inclusive terminology
- Removed redundant translation wrappers
- Added PHPStan strict rules with matchingInheritedMethodNames
- Fixed PHPStan reportWrongPhpDocTypeInVarTag errors
- Added PHPStan reportMaybesInPropertyPhpDocTypes setting
- Applied MakeInheritedMethodVisibilitySameAsParentRector
- Applied ChangeNestedIfsToEarlyReturnRector
- Added RemoveAlwaysElseRector to configuration
- Converted to short array notation in comments
- Switched negated ternary expressions for readability
Security improvements
- Added path validation security utilities in
\Maho\Io– Blocks dangerous stream wrappers, validates path containment - Added Rector rule to secure unserialize() calls – Automatically adds
['allowed_classes' => false] - Added Rector rule for Varien to Maho namespace migration – Helps modernize third-party code
Dependencies & infrastructure
- Updated Symfony to 7.4
- Upgraded Emogrifier to version 8
- PHP 8.5 compatibility fixes
- Additional PHP 8.5 compatibility fixes
- Disabled flat catalog for SQLite and PostgreSQL – Uses EAV tables for compatibility
- Consolidated database config: single engine value – Simplified local.xml configuration
- Added SQLite database support
- EAV attribute ID remapping for sample data import
- Added missing license texts in Maho modules
- Renamed @package tags to MahoLib in lib/Maho
New Contributors
- @JDavidVR made their first contribution in #466
- @trabulium made their first contribution in #441
Welcome to the Maho community! 🎉
