ShowDoc servers under active attack

Attackers are now using a ShowDoc server bug to run code on exposed systems that never installed the fix released years ago. (thehackernews.com) ShowDoc is a self-hosted documentation tool, often used as an internal wiki for engineering teams. GitHub’s advisory database says CVE-2025-0520 affects versions before 2.8.7, and the bug lets an attacker upload a malicious file that the server then executes. (github.com) The National Vulnerability Database describes the flaw as an unrestricted file upload caused by weak file-extension checks. Its record says the result is remote code execution, meaning an outsider can make the server run attacker-controlled PHP code. (nvd.nist.gov) The patch is not new. The Hacker News reported that ShowDoc fixed the issue in version 2.8.7 in October 2020, and that the current version is 3.8.1. (thehackernews.com) What changed on April 14, 2026 is that researchers said the bug had moved from a known weakness to an active intrusion path. The Hacker News, citing VulnCheck vice president Caitlin Condon, said the company observed the exploit dropping a web shell on a United States-based honeypot running a vulnerable ShowDoc server. (thehackernews.com) A web shell is a small backdoor that lets an intruder control a server through a browser, like leaving a hidden admin panel behind. On an internal documentation server, that can turn a low-profile wiki into a foothold inside a company network. (thehackernews.com) The exposure is not limited to a handful of test boxes. The Hacker News reported that VulnCheck counted more than 2,000 internet-facing ShowDoc instances, with most of them located in China. (thehackernews.com) United States defenders often use the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog to track bugs under real-world attack. As of April 14, 2026, the catalog page available through CISA did not show ShowDoc CVE-2025-0520 in the visible listings returned by the site tool, even though CISA says the catalog is its authoritative list of vulnerabilities exploited in the wild. (cisa.gov) The vulnerability record also shows how long these bugs can sit before attackers pick them up at scale. GitHub published the advisory on April 29, 2025, the National Vulnerability Database says the record was received the same day, and the vulnerable code path still exists anywhere ShowDoc stayed below 2.8.7. (github.com, nvd.nist.gov) For ShowDoc administrators, the immediate step is simple: move off versions earlier than 2.8.7 and check exposed servers for uploaded PHP files or web shells. The opening fact of this story is also the closing one: attackers are not waiting for lagging systems to catch up. (github.com, thehackernews.com)