CVE-2025-0520

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution.This issue affects ShowDoc: before 2.8.7.

Published: 4/29/2025Modified: 4/15/2026

Related Intelligence (1)

CRITICALVulnerability

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

A critical security vulnerability impacting ShowDoc, a document management and collaboration service popular in China, has come under active exploitation in the wild. The vulnerability in question is CVE-2025-0520 (aka CNVD-2020-26585), which carries a CVSS score of 9.4 out of 10.0. It relates to a case of unrestricted file upload that stems from improper validation of

CVE-2025-0520

Apr 14, 2026The Hacker News

References (4)

https://github.com/star7th/showdoc/pull/1059 https://github.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585 https://www.cnvd.org.cn/flaw/show/CNVD-2020-26585 https://www.vulncheck.com/advisories/showdoc-unauthenticated-file-upload-rce