A critical remote code execution flaw, tracked as CVE-2025-0520, in ShowDoc is under active exploitation in the wild, with a CVSS score of 9.4. ShowDoc is an online tool that helps IT teams share documents and improve collaboration and communication efficiency, and versions before 2.8.7 contained an unauthenticated file upload flaw that allowed attackers to deploy web shells and run code on servers; the issue was fixed in version 2.8.7, released in October 2020.
An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution, and this issue affects ShowDoc before 2.8.7, according to the advisory. Threat actors are targeting unpatched servers, potentially gaining full control, and VulnCheck researchers warn that over 2,000 instances remain exposed online, mostly in China.
Organisations using the tool are strongly urged to update and secure exposed instances immediately, as reported on 14 April 2026. According to VulnCheck, the vulnerable exposure continues to present a serious risk to unpatched ShowDoc deployments.