showdoc/showdoc is vulnerable to cross-site request forgery. The server is unable to verify the authenticity of web requests due to a lack of anti-CSRF protection mechanism in the REST API, allowing an attacker to add any member for any item if users visit the attacker site.