ShowDoc RCE being exploited

A flaw in ShowDoc is now being used in real attacks, letting attackers take over unpatched servers by uploading malicious files. (thehackernews.com) ShowDoc is an open-source tool teams use to publish application programming interface documentation and project notes, and the bug affects versions earlier than 2.8.7. GitHub’s advisory database says the issue was published on April 29, 2025 and fixed in version 2.8.7. (github.com) The bug is a file-upload mistake: ShowDoc fails to properly check a file’s extension, so an attacker can upload a PHP script and run code on the server. The Common Vulnerabilities and Exposures record describes it as remote code execution caused by unrestricted upload of a dangerous file type. (cve.org) That matters because a documentation server often sits inside a company network and can hold internal project details, credentials, or links to other systems. Once a web shell is planted, the same server can become a foothold for follow-on intrusion. (thehackernews.com) The exploitation being reported now is not tied to a newly discovered bug. The Hacker News reported that ShowDoc shipped the fix in October 2020, and that the current version is 3.8.1. (thehackernews.com) Researchers say the attacks were seen on April 11, 2026, when VulnCheck’s honeypot system detected an attempt to drop a web shell on a vulnerable ShowDoc server in the United States. A honeypot is a decoy machine set up to catch attackers in the act. (lilting.ch) Internet scans shared in recent coverage put the exposed population at more than 2,000 ShowDoc instances, with most of them located in China. That leaves a sizable pool of servers that can still be reached directly from the public internet. (thehackernews.com) The vulnerability carries a Common Vulnerability Scoring System version 4 score of 9.4, which the Common Vulnerabilities and Exposures record lists as critical. The National Vulnerability Database repeats the same affected range, before 2.8.7, and maps the weakness to unrestricted upload of a dangerous file type. (cve.org) (nvd.nist.gov) One detail in the records is still messy: the Common Vulnerabilities and Exposures entry shows “Privileges Required: Low,” while multiple advisories describe the attack as unauthenticated. In practice, defenders are treating any internet-facing ShowDoc server older than 2.8.7 as exposed until it is upgraded or taken offline. (cve.org) (github.com) The immediate fix is simple even if the risk is not: update ShowDoc past 2.8.7 and check older servers for unexpected PHP files or web shells. The attacks now hitting this bug are a case of an old patch gap turning into a live break-in path. (github.com) (thehackernews.com)