CVE-2025-15494
Published: 09 January 2026
Summary
CVE-2025-15494 is a medium-severity Injection (CWE-74) vulnerability in Docsys Project Docsys. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-15494 is a SQL injection vulnerability (CWE-74, CWE-89) in RainyGao DocSys versions up to 2.02.37. It affects an unknown function within the file com/DocSystem/mapping/UserMapper.xml, where manipulation of the Username argument enables the injection.
The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required. Exploitation demands low privileges (PR:L) from the attacker, such as an authenticated user, and results in low impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 6.3; AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Advisories and references, including GitHub entries with vulnerability analysis and reproduction steps as well as VulDB reports, confirm the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned.
The exploit disclosure heightens the risk for deployments of the affected DocSys versions, as it is available for potential immediate use by attackers.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1725
Vulnerability details
A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been…
more
disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application (DocSys) directly enables remote exploitation of a public-facing service without needing additional user interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs such as the Username argument before it reaches the UserMapper.xml SQL statement, blocking the injection vector.
Enables monitoring of database queries and anomalous SQL patterns originating from the Username parameter to identify active exploitation attempts.
Limits the privileges of authenticated users who can reach the vulnerable mapper, reducing the confidentiality/integrity/availability impact of a successful injection.