CVE-2026-6982 · A vulnerability was determined in star7th ShowDoc up to 2.10.10/3.6.2/3.8.0.

01 · The Real Story

This is a lockpick for the supply closet, not a battering ram for the front gate

CVE-2026-6982 is an SQL injection flaw in ShowDoc's API Page Sort endpoint, specifically in server/Application/Api/Controller/PageController.class.PHP, where the pages argument can be manipulated. Authoritative advisories describe affected releases as ShowDoc up to 2.10.10, 3.6.2, and 3.8.0; GitHub and GitLab package advisories flatten that to all versions before 3.8.1, with 3.8.1 listed as the fix and no backports for older branches.

The vendor's MEDIUM label is technically defensible in a lab, but too generous for enterprise patch priority. The decisive friction is attacker position: exploitation requires authenticated access at minimum, and in real deployments ShowDoc is a niche internal documentation app rather than a broadly exposed edge service. No KEV listing, no active exploitation evidence for this CVE, and a near-zero EPSS push this down into backlog territory unless you deliberately expose ShowDoc to the internet.

"Authenticated SQLi in a niche doc tool is real, but it is not a fleet-wide fire drill"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach a live ShowDoc instance

The attacker first needs network reachability to a running ShowDoc server and a version older than 3.8.1. Product-wide internet exposure exists, but reporting around ShowDoc exposure suggests a relatively small footprint compared with mainstream enterprise platforms, and that telemetry is about ShowDoc generally, not a census of this exact vulnerable build set.

Conditions required:

A ShowDoc instance is deployed
The instance is running a vulnerable release before 3.8.1
The attacker can reach the web application over the network

Where this breaks in practice:

ShowDoc is a niche platform with a much smaller exposed population than common enterprise portals
Many enterprises keep documentation platforms internal or behind VPN/SSO
Exposure estimates published for ShowDoc are product-wide and do not prove this CVE is broadly reachable

Detection/coverage: External attack-surface tools can find ShowDoc, but version fingerprinting is inconsistent. Generic vuln scanners may flag the CVE from version data, yet many will miss self-hosted forks, custom builds, or instances without obvious banners.

STEP 02

Obtain a valid low-privilege session

The published CVSS vectors from VulDB/NVD and GitHub require PR:L, so this is not an unauthenticated drive-by. In practice that means the attacker needs a valid account or some prior compromise path that lands them inside the app's trust boundary before the injection matters.

Conditions required:

A valid ShowDoc user account or equivalent authenticated session
The account can access the relevant API workflow

Where this breaks in practice:

Authentication sharply narrows the attacker pool
SSO, MFA, and account lifecycle controls raise the cost of getting usable app access
If the endpoint is limited to project members or editors, blast radius narrows further

Detection/coverage: IAM, SSO, and app audit logs should show the login or token use that precedes exploitation. This prerequisite is where modern controls most often break the chain.

STEP 03

Send a crafted pages payload to the Page Sort API

Public advisory references point to a researcher Gist PoC, so the injection path is not purely theoretical. The attacker uses a normal HTTP client such as curl, Burp Suite, or the referenced PoC to supply a malicious pages parameter to the Page Sort endpoint and coerce unsafe SQL handling.

Conditions required:

Knowledge of the vulnerable endpoint and request shape
Ability to submit authenticated API requests
Server-side input is still unpatched

Where this breaks in practice:

Authenticated DAST-style attacks are harder to automate at scale than anonymous edge exploitation
Parameter validation, WAF rules, or unusual deployment customizations can break commodity payloads
The available public exploit reference is a Gist, not a mass-exploitation framework with broad telemetry

Detection/coverage: WAFs and reverse proxies may log suspicious SQL metacharacters in the pages parameter, but coverage is hit-or-miss for authenticated app traffic. App and database logs are more reliable than perimeter signatures here.

STEP 04

Abuse the app database within the authenticated trust boundary

Impact is rated low across confidentiality, integrity, and availability by both CVSS v3.1 and v4, which matches the public record: this is not a documented RCE or tenant-breakout bug. The likely result is data access or manipulation inside the ShowDoc application's database context, with business impact tied to what that instance stores and how exposed it is to the broader environment.

Conditions required:

Successful SQL injection execution
The application's database account has useful permissions
Sensitive documentation or writable records exist in the target instance

Where this breaks in practice:

Impact appears confined to the ShowDoc app context rather than a platform-level server takeover
Separate database least-privilege and network segmentation can contain fallout
A documentation tool usually has lower blast radius than identity, mail, or remote-management infrastructure

Detection/coverage: Database error logs, unusual API sort requests, and anomalous query patterns are your best signals. Signature-only scanning tends to underperform on authenticated, application-specific SQLi.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed active exploitation for this CVE in the sources reviewed. CISA KEV does not list `CVE-2026-6982`, and the CISA ADP enrichment visible via CIRCL records exploitation as `none`.
Proof-of-concept availability	Public PoC reference exists: NVD, GitHub Advisory, and GitLab all reference a researcher Gist by `saDL0w`, which means defenders should assume reproducible exploit details are available to motivated operators.
EPSS	`0.00012` from the user-provided intel block — effectively floor-level exploit probability. Inference: even if the exact percentile shifts, this score is consistent with low observed attacker interest.
KEV status	Not KEV-listed as of `2026-05-31`. That matters because KEV absence removes the strongest operational signal that attackers are converting this bug into real campaigns.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` — network reachable and easy to trigger after authentication, but only low CIA impact and no scope change. GitHub's reviewed v4 score is even lower at `5.3`.
Affected versions	NVD and GitLab describe ShowDoc before `3.8.1` as affected, while the CNA/VulDB version list explicitly includes `2.10.0`-`2.10.10`, `3.0`-`3.6.2`, `3.7`, and `3.8.0`.
Fixed versions	Upgrade to `3.8.1` or later. GitLab states the vendor will not backport fixes to the older affected branches.
Exposure / population	Reporting on ShowDoc's separate 2025 RCE notes more than 2,000 ShowDoc instances online, mostly in China. Inference: that is modest exposure by enterprise-platform standards and is product-wide, not evidence that `CVE-2026-6982` is broadly exploitable on the public internet.
Disclosure timeline	Published `2026-04-25`; GitHub Advisory was reviewed and last updated `2026-05-05`. The `v3.8.1` release page shows the fixed release was published on `2026-03-31`.
Researcher / reporter	CIRCL's aggregated CNA data credits LIU Tingwei (VulDB User) as reporter and VulDB CNA Team as coordinator.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.9/10)

The biggest downward pressure is simple: this is authenticated remote SQLi in a niche collaboration app, not unauthenticated edge compromise. That attacker-position requirement implies either valid credentials or prior foothold, which dramatically narrows real-world reach and turns this into a post-initial-access problem for most enterprises.

HIGH Affected/fixed version range and vendor baseline

MEDIUM Attack preconditions requiring authenticated access

MEDIUM Real-world exposure population being comparatively small

Why this verdict

Baseline down from 6.3: vendor CVSS assumes a generic networked app, but this product is a niche documentation platform with a smaller exposed population than common enterprise edge software.
Authenticated remote only: PR:L means the attacker needs a valid user context. That implies stolen credentials, insider access, or a prior compromise stage — each one compounds downward pressure on severity.
Limited impact profile: both published v3.1 and v4 vectors rate only low confidentiality, integrity, and availability impact with no scope change, which is a poor fit for emergency patching.
No exploitation heat: no KEV listing, no public evidence of active exploitation for this CVE, and the provided EPSS 0.00012 is negligible.
Patch path is straightforward but not urgent: there is a clean fixed version in 3.8.1, but absence of backports does not itself make this high priority; it just simplifies inventory decisions.

Why not higher?

To score higher, this would need an amplifier such as unauthenticated access, mass internet exposure, confirmed exploitation, or server-level compromise. The public record instead shows an authenticated bug with low CIA impact in a relatively niche app, which is exactly the kind of issue that looks scarier in CVSS math than in patch-ops reality.

Why not lower?

It is still a genuine injection flaw reachable over the network once an attacker is signed in, and public PoC references exist. If you run ShowDoc on the public internet or use weak local accounts without SSO/MFA, the practical risk rises enough that dismissing it entirely would be sloppy.

05 · Compensating Control

What to do — in priority order.

Keep ShowDoc off the public internet — Put the app behind VPN, ZTNA, or an internal reverse proxy so PR:L remains a meaningful barrier instead of a thin web-login speed bump. For a LOW verdict there is no formal SLA; treat this as backlog hygiene and enforce the exposure reduction in your next normal app-hardening cycle.
Front it with SSO and MFA — Because this bug needs authenticated access, stronger identity controls do real work here. Require enterprise SSO, remove local long-lived credentials where possible, and roll this into your routine IAM control baseline rather than an emergency change.
Constrain database privileges — Make sure the ShowDoc database user has only the minimum rights needed by the app. That limits what an injection can read or modify if someone does get a valid session and reach the vulnerable endpoint.
Log and inspect the Page Sort endpoint — Capture authenticated requests hitting the API Page Sort workflow and alert on obvious SQL metacharacters or anomalous sort operations. This is a practical detective control while you work the upgrade through normal change control.
Inventory and retire stray instances — The bigger operational risk with ShowDoc is forgotten self-hosted installs. Fold discovery into your backlog hygiene process and make owners either upgrade to 3.8.1+ or decommission the instance.

What doesn't work

A perimeter-only WAF is not enough if the attacker already has a valid session and the app sits on an internal segment where traffic bypasses the WAF.
EDR alone will not reliably catch authenticated SQL injection against a PHP web app unless it later turns into clear post-exploitation activity on the host.
Password rotation without MFA/SSO cleanup is weak medicine; the key friction is stopping low-privilege app access in the first place, not just changing one set of credentials.

06 · Verification

Crowdsourced verification payload.

Run this on the ShowDoc host or container filesystem with read access to the application directory. Invoke it as bash check_showdoc_cve_2026_6982.sh /opt/showdoc or point it at the mounted app root; root is not required unless the files are restricted. The script tries git metadata first, then Docker image tags, then common file scraping, and returns VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check_showdoc_cve_2026_6982.sh
# Determine likely exposure to CVE-2026-6982 in self-hosted ShowDoc.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE

set -u

TARGET="${1:-}"
FIXED="3.8.1"

usage() {
  echo "Usage: $0 <showdoc_root_path_or_docker_container_name>"
  exit 3
}

normalize_ver() {
  echo "$1" | sed -E 's/^[^0-9]*//; s/[^0-9.].*$//'
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ]
}

extract_from_git() {
  local root="$1"
  if command -v git >/dev/null 2>&1 && [ -d "$root/.git" ]; then
    git -C "$root" describe --tags --abbrev=0 2>/dev/null | sed 's/^v//'
    return 0
  fi
  return 1
}

extract_from_docker() {
  local name="$1"
  if command -v docker >/dev/null 2>&1; then
    local image
    image=$(docker inspect --format '{{.Config.Image}}' "$name" 2>/dev/null || true)
    if [ -n "$image" ]; then
      echo "$image" | awk -F: '{print $NF}' | sed 's/^v//'
      return 0
    fi
  fi
  return 1
}

extract_from_files() {
  local root="$1"
  local candidate=""

  # Common places admins may preserve a release string
  for f in \
    "$root/README.md" \
    "$root/docker-compose.yml" \
    "$root/composer.lock" \
    "$root/composer.json" \
    "$root/index.php"; do
    if [ -f "$f" ]; then
      candidate=$(grep -Eo 'v?[0-9]+\.[0-9]+\.[0-9]+' "$f" 2>/dev/null | sed 's/^v//' | sort -V | tail -n1)
      if [ -n "$candidate" ]; then
        echo "$candidate"
        return 0
      fi
    fi
  done

  return 1
}

check_layout() {
  local root="$1"
  [ -f "$root/server/Application/Api/Controller/PageController.class.PHP" ]
}

[ -n "$TARGET" ] || usage

VERSION=""
MODE=""

if [ -d "$TARGET" ]; then
  if ! check_layout "$TARGET"; then
    echo "UNKNOWN - path does not look like a ShowDoc application root: $TARGET"
    exit 2
  fi

  VERSION=$(extract_from_git "$TARGET" || true)
  if [ -n "$VERSION" ]; then
    MODE="git"
  else
    VERSION=$(extract_from_files "$TARGET" || true)
    if [ -n "$VERSION" ]; then
      MODE="file"
    fi
  fi
else
  VERSION=$(extract_from_docker "$TARGET" || true)
  if [ -n "$VERSION" ]; then
    MODE="docker"
  fi
fi

VERSION=$(normalize_ver "$VERSION")

if [ -z "$VERSION" ]; then
  echo "UNKNOWN - unable to determine ShowDoc version from git, docker image tag, or common files"
  exit 2
fi

if ver_lt "$VERSION" "$FIXED"; then
  echo "VULNERABLE - detected ShowDoc version $VERSION via $MODE; fixed version is $FIXED"
  exit 1
else
  echo "PATCHED - detected ShowDoc version $VERSION via $MODE; fixed version is $FIXED"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not spin up an emergency patch sprint for this one across a 10,000-host estate. Instead, identify whether you even run self-hosted ShowDoc, confirm whether any instances are internet-exposed, and if they are, move them behind VPN/SSO as routine hardening; for a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA beyond backlog hygiene, so document ownership now and upgrade those instances to 3.8.1+ in the next normal application maintenance window rather than burning scarce emergency capacity.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.