SHOWDOC has a critical vulnerability, CVE-2025-0520 (also CNVD-2020-26585), rated 9.4 out of 10, which involves unrestricted file uploads due to improper validation of file extensions and can enable remote code execution. According to Vulhub’s advisory, in ShowDoc versions before 2.8.7 an attacker can upload a web shell and execute arbitrary code on the server, and the flaw was fixed in ShowDoc 2.8.7, shipped in October 2020, with the current version listed as 3.8.1.
The Hacker News notes that CVE-2025-0520 has come under active exploitation for the first time, with the observed exploit dropping a web shell on a U.S.-based honeypot running a vulnerable ShowDoc version and more than 2,000 ShowDoc instances online, most of which are in China. Caitlin Condon, vice president of security research at VulnCheck, is cited as sharing the new details of active exploitation. Users running ShowDoc are advised to update to the latest version for protection.