PT-2025-18203 · Showdoc · Showdoc
Plzmyy
·
Published
2025-04-29
·
Updated
2026-04-27
·
CVE-2025-0520
CVSS v4.0
9.4
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ShowDoc versions prior to 2.8.7
Description
An unrestricted file upload issue caused by improper validation of file extensions allows unauthenticated attackers to upload arbitrary PHP files, such as web shells, leading to remote code execution. This flaw is being actively exploited on unpatched servers, with incidents observed on a U.S.-based honeypot. It is estimated that over 2,000 ShowDoc instances are publicly accessible online, with the majority located in China.
Recommendations
Update ShowDoc to version 2.8.7 or later.
Update ShowDoc to the latest version (3.8.1) immediately.
Exploit
Fix
RCE
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Showdoc