CVE-2025-0520 CRITICAL

CVE-2025-0520: ShowDoc < 2.8.7 Unauthenticated File Upload Remote Code Execution

Vendor Showdoc
Product ShowDoc
Weakness CWE-434 · Unrestricted file upload
Published April 29, 2025
Last update November 19, 2025

CVSS base score

9.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

What the vulnerability does

01Description

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

Key dates

02Disclosure timeline

April 29, 2025 CVE published
November 19, 2025 Record updated