CVE-2025-0520 — ShowDoc unrestricted file upload vulnerability

Description

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution. This issue affects ShowDoc: before 2.8.7.

How to fix CVE-2025-0520

To remediate CVE-2025-0520, upgrade the affected package to a fixed version below.

Packagist/showdoc/showdoc—upgrade to 2.8.7 or later

Is CVE-2025-0520 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.8.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-0520
PATCHgithub.com/star7th/showdoc
WEBgithub.com/star7th/showdoc/pull/1059
WEBgithub.com/vulhub/vulhub/tree/master/showdoc/CNVD-2020-26585
WEB