Critical ShowDoc RCE Vulnerability Active Exploited in the Wild

Home Cyber Security News Critical ShowDoc RCE Vulnerability Active Exploited in the Wild Threat actors are actively exploiting a critical vulnerability in ShowDoc, a popular online document-sharing and collaboration tool used by IT teams worldwide. Tracked under the identifier CNVD-2020-26585, this severe security flaw allows unauthenticated remote attackers to upload malicious files and execute arbitrary code on vulnerable servers. Because ShowDoc often houses sensitive internal documentation and API specifications, a successful breach can give attackers a significant foothold in an organization’s internal network. ShowDoc RCE Vulnerability The vulnerability stems from an unrestricted file upload mechanism in ShowDoc versions before 2.8.7. The core issue lies in how the application processes incoming file uploads through its image upload API endpoint. PHP file path will be exposed in the response(source :Vulhub) Threat actors can bypass standard security filters entirely, requiring no prior authentication or system privileges to deliver a malicious payload directly to the server infrastructure. Security researchers from the Vulhub project have demonstrated that the exploit requires only a single, specially crafted HTTP POST request. By targeting the /index.php?s=/home/page/uploadImg endpoint, attackers can force the server to accept executable PHP scripts instead of standard image formats. The exploit manipulates the content disposition header by injecting specific characters into the filename, such as test.<>php, to evade basic extension validation. Attackers embed a simple webshell or PHP execution command within the raw text of the uploaded multipart form data. Once the server successfully processes the malicious request, it responds with the direct URL to the newly uploaded PHP file. Navigating to this generated address executes the injected script with the privileges of the web server, granting the attacker full remote code execution capabilities. phpinfo() executed successfully (source : Vulhub) Organizations relying on ShowDoc must take immediate action to secure their documentation environments against this active threat. Widely available exploit code makes unpatched servers easy targets for automated scanning and attacks, as highlighted in a VulnCheck researcher report on GitHub. Administrators must upgrade their ShowDoc instances to version 2.8.7 or later to apply the official security patch for this flaw. Security teams should aggressively review web server access logs for suspicious POST requests targeting the image upload directory. Network defenders must restrict access to internal documentation servers to prevent them from being directly exposed to the public internet. Organizations should configure Web Application Firewalls to inspect incoming traffic and block malformed file upload requests containing executable script extensions. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Synology SSL VPN Client Vulnerabilities Let Remote Attackers Access Sensitive Files Cyber Security Critical FortiSandbox Vulnerabilities Allow Attackers to Execute Unauthorized Commands Cyber Security News New Mirax Android RAT Turns Infected Phones Into Residential Proxy Nodes Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026