CVE-2025-0520: ShowDoc Unauthenticated File Upload Remote Code Execution

9.4 CVSS

Description

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

Classification

CVE ID: CVE-2025-0520

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type

Affected Products

Vendor: ShowDoc

Product: ShowDoc

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.3% (probability of being exploited)

EPSS Percentile: 52.66% (scored less or equal to compared to others)

EPSS Date: 2025-05-28 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0520
https://github.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585
https://github.com/star7th/showdoc/pull/1059
https://www.cnvd.org.cn/flaw/show/CNVD-2020-26585

Timeline

2025-04-29 20:40:22 UTC
CVE

ShowDoc Unauthenticated File Upload Remote Code Execution
2025-04-30 18:15:32 UTC
Github Advisory Database (Composer)

[showdoc/showdoc] ShowDoc unrestricted file upload vulnerability