Description
An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.
References (4)
Core 4
Core References
Various Sources exploit
https://github.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585
Issue Tracking patch
issue-tracking
https://github.com/star7th/showdoc/pull/1059
Various Sources third-party-advisory
https://www.cnvd.org.cn/flaw/show/CNVD-2020-26585
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/showdoc-unauthenticated-file-upload-rce
Scores
CVSS v4
9.4
EPSS
0.0203
EPSS Percentile
83.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
VulnCheck KEV
2026-04-10
CWE
CWE-434
Status
published
Products (2)
ShowDoc/ShowDoc
< 2.8.7
showdoc/showdoc
0 - 2.8.7Packagist
Published
Apr 29, 2025
Tracked Since
Feb 18, 2026