GHSA-6jmr-r7p6-f5wr

Suggest an improvement
Source
https://github.com/advisories/GHSA-6jmr-r7p6-f5wr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-6jmr-r7p6-f5wr/GHSA-6jmr-r7p6-f5wr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6jmr-r7p6-f5wr
Aliases
Published
2025-04-29T21:31:55Z
Modified
2025-04-30T17:57:25.264269Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L CVSS Calculator
Summary
ShowDoc unrestricted file upload vulnerability
Details

An unrestricted file upload vulnerability in ShowDoc caused by improper validation of file extension allows execution of arbitrary PHP, leading to remote code execution. This issue affects ShowDoc: before 2.8.7.

Database specific 
{
    "github_reviewed_at": "2025-04-30T17:31:58Z",
    "severity": "CRITICAL",
    "nvd_published_at": "2025-04-29T20:15:25Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434"
    ]
}
References

Affected packages

Packagist / showdoc/showdoc

Package

Name
showdoc/showdoc
Purl
pkg:composer/showdoc/showdoc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.7

Affected versions

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.1
v1.1.3
v1.1.4
v1.1.5
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6

v2.*

v2.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.0.10
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.15
v2.4.16
v2.4.17
v2.5.1
v2.5.2
v2.5.3
v2.5.5
v2.6.1
v2.6.2
v2.6.3
v2.6.5
v2.6.6
v2.6.7
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.5
v2.8.6