Critical ShowDoc file upload flaw now faces active exploitation on unpatched servers

Attackers have started actively exploiting a critical ShowDoc vulnerability that lets them upload a malicious PHP file and run code on the server. The flaw affects ShowDoc versions before 2.8.7 and is tracked as CVE-2025-0520, with CNVD-2020-26585 used as an alternate identifier in older references.

The bug is serious because it does not require prior login. Public advisories describe it as an unrestricted file upload issue caused by improper file-extension validation, which means an attacker can place executable PHP on a vulnerable server and turn that into remote code execution.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The active exploitation claim appears to come from VulnCheck research and has since been echoed by multiple security outlets. VulnCheck’s advisory lists the issue as a critical unauthenticated file upload RCE, while recent reporting says attacks in the wild have now been observed against exposed and unpatched ShowDoc instances.

Why this flaw matters

ShowDoc is often used to store internal documentation, API references, and team knowledge bases. If attackers compromise it, they may gain direct access to documentation that helps them move deeper into a network, even before they deploy follow-on malware or persistence. This is an inference based on ShowDoc’s role and the RCE impact documented in the advisories.

Technical descriptions of the flaw point to the /index.php?s=/home/page/uploadImg endpoint. Public exploit material shows that attackers can abuse the upload flow to bypass simple extension checks, upload a PHP payload, and then execute it through the returned file path.

That makes older internet-exposed ShowDoc servers especially risky. Recent reporting tied to VulnCheck says more than 2,000 exposed instances were visible online, which helps explain why attackers would revisit a flaw that was fixed years ago.

What is affected

Source data comes from NVD, GitHub Advisory Database, and VulnCheck.

What defenders should do now

• Upgrade any ShowDoc deployment older than 2.8.7 right away.
• Review web server logs for suspicious POST requests to the uploadImg endpoint. This recommendation follows directly from the public exploit path described in reporting and proof-of-concept references.
• Remove direct internet exposure where possible and place ShowDoc behind tighter access controls. This is a practical hardening step based on the unauthenticated RCE nature of the flaw.
• Hunt for uploaded PHP files in image or upload directories and review the server for web shells or unusual file names. This recommendation follows from the documented attack method.
• Use WAF and reverse-proxy rules to scrutinize suspicious multipart upload requests while patching is underway. This is a defensive inference, not an official vendor mitigation.

FAQ