CVE-2026-6982 Overview
A SQL Injection vulnerability has been identified in star7th ShowDoc, an open-source API documentation platform. The vulnerability affects the API Page Sort Endpoint, specifically within the file server/Application/Api/Controller/PageController.class.PHP. By manipulating the pages argument, an attacker with low privileges can inject malicious SQL commands, potentially compromising database integrity, extracting sensitive information, or modifying data.
Critical Impact
Authenticated attackers can remotely exploit this SQL Injection vulnerability to read, modify, or delete database content, potentially gaining access to sensitive API documentation and user credentials stored within ShowDoc instances.
Affected Products
- star7th ShowDoc up to version 2.10.10
- star7th ShowDoc up to version 3.6.2
- star7th ShowDoc up to version 3.8.0
Discovery Timeline
- 2026-04-25 - CVE-2026-6982 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-6982
Vulnerability Analysis
This vulnerability represents a classic SQL Injection flaw (CWE-74: Injection) in the ShowDoc application's page sorting functionality. The affected component is the PageController.class.PHP file within the API module, which handles requests to sort documentation pages. When processing the pages parameter, the application fails to properly sanitize or parameterize user input before incorporating it into SQL queries.
The attack requires low-level authentication (a valid user account), but can be executed remotely over the network with minimal complexity. Successful exploitation could allow attackers to extract sensitive data from the database, modify or delete documentation content, or potentially escalate privileges depending on the database configuration and permissions.
The vendor has released version 3.8.1 to address this vulnerability but has explicitly stated they will not backport patches to older affected versions (2.10.10, 3.6.2, and prior releases in the 3.x branch before 3.8.1).
Root Cause
The root cause of this vulnerability is improper input validation and lack of parameterized queries in the PageController.class.PHP file. The pages argument is passed directly into SQL queries without adequate sanitization, escaping, or use of prepared statements. This allows attackers to break out of the intended query structure and inject arbitrary SQL commands.
Attack Vector
The attack vector is network-based, requiring an authenticated user to send a specially crafted request to the API Page Sort Endpoint. The attacker manipulates the pages parameter to include SQL injection payloads. Since the vulnerability requires authentication but only low-level privileges, any registered user of a ShowDoc instance could potentially exploit this flaw.
The exploitation does not require user interaction beyond the initial authenticated request. An attacker would typically craft a malicious HTTP request to the sorting endpoint, embedding SQL syntax within the pages parameter to extract database contents using techniques such as UNION-based injection, blind boolean-based injection, or time-based blind injection depending on the application's error handling and response characteristics.
For technical proof-of-concept details, refer to the GitHub Gist PoC published by the security researcher.
Detection Methods for CVE-2026-6982
Indicators of Compromise
- Unusual or malformed requests to /api/page/sort or similar page sorting endpoints containing SQL syntax characters such as single quotes, semicolons, or UNION keywords
- Database query logs showing unexpected SQL statements originating from the PageController component
- Error logs containing SQL syntax errors or database exceptions from the affected endpoint
- Unexpected data extraction or modification in documentation pages or user tables
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in requests to ShowDoc API endpoints
- Monitor application logs for anomalous requests containing SQL injection signatures targeting the pages parameter
- Deploy runtime application self-protection (RASP) solutions to detect SQL injection attempts at the application layer
- Review database audit logs for unauthorized SELECT, UPDATE, or DELETE operations
Monitoring Recommendations
- Enable detailed logging for all API requests to the ShowDoc application, particularly the Page Sort endpoint
- Configure alerting for SQL error messages in application logs that may indicate injection attempts
- Monitor database query performance for unusual patterns that could indicate time-based blind SQL injection probing
- Implement network traffic analysis to detect outbound data exfiltration following potential exploitation
How to Mitigate CVE-2026-6982
Immediate Actions Required
- Upgrade ShowDoc to version 3.8.1 or later immediately to remediate this vulnerability
- If running version 2.10.10, 3.6.2, or any version before 3.8.1, plan migration to the latest release as no backported patches will be provided
- Implement Web Application Firewall rules to filter SQL injection attempts as a temporary mitigation
- Review user accounts and remove any unnecessary or suspicious accounts to reduce attack surface
Patch Information
The vulnerability has been addressed in ShowDoc version 3.8.1. Users should upgrade to this version or later to remediate the SQL injection flaw. The patch is available through the official GitHub Release v3.8.1.
According to the security researcher, the vendor has explicitly stated they will not backport patches to older affected versions. Organizations running versions 2.10.10, 3.6.2, or other pre-3.8.1 releases must upgrade to version 3.8.1 or implement compensating controls.
For additional vulnerability details, consult VulDB #359525 and VulDB CTI information.
Workarounds
- Deploy a Web Application Firewall (WAF) configured to block requests containing SQL injection patterns targeting the pages parameter
- Restrict network access to the ShowDoc instance to trusted IP ranges only
- Implement input validation at the reverse proxy or load balancer level to sanitize the pages parameter before it reaches the application
- Consider disabling the page sorting functionality if it is not critical to operations until upgrade can be performed
# Example: Nginx WAF configuration to block SQL injection patterns
# Add to nginx server configuration for ShowDoc
location /api/ {
# Block common SQL injection patterns
if ($args ~* "(union|select|insert|update|delete|drop|--|;|')" ) {
return 403;
}
proxy_pass http://showdoc_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
