Cyber Resilience

CVE-2025-15493

MediumPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15493 is a medium-severity Injection (CWE-74) vulnerability in Docsys Project Docsys. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-15493 is a SQL injection vulnerability affecting RainyGao DocSys versions up to 2.02.36. The flaw resides in an unknown function within the file src/com/DocSystem/mapping/ReposAuthMapper.xml, where manipulation of the searchWord argument enables injection. This issue, classified under CWE-74 and CWE-89, has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low complexity.

The vulnerability can be exploited remotely by an attacker with low privileges (PR:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL payloads targeting the searchWord parameter.

Advisories from VulDB and related references, including a GitHub repository, detail the vulnerability analysis and provide a published exploit, but no patches or vendor mitigations are mentioned. The vendor was contacted early regarding disclosure but did not respond.

An exploit has been publicly released and may be actively used, highlighting the need for immediate scrutiny of affected DocSys deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the…

more

attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a web-accessible DocSys component directly enables remote exploitation of a public-facing application (T1190) with low-privilege network access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15494Same product: Docsys Project Docsys
CVE-2025-15492Same product: Docsys Project Docsys
CVE-2025-11630Same product: Docsys Project Docsys
CVE-2025-11631Same product: Docsys Project Docsys
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89
CVE-2026-9447Shared CWE-74, CWE-89
CVE-2026-6153Shared CWE-74, CWE-89

Affected Assets

docsys project
docsys
≤ 2.02.36

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the searchWord input parameter before it reaches the SQL query in ReposAuthMapper.xml, blocking the injection payload.

detect

Enables monitoring of database query patterns and anomalies that would reveal successful exploitation of the searchWord parameter.

prevent

Restricts the database account used by DocSys to the minimum privileges needed, limiting the impact of any successful SQL injection via searchWord.

References