Cyber Resilience

CVE-2025-15494

MediumPublic PoC

Published: 09 January 2026

Published
09 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-15494 is a medium-severity Injection (CWE-74) vulnerability in Docsys Project Docsys. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-15494 is a SQL injection vulnerability (CWE-74, CWE-89) in RainyGao DocSys versions up to 2.02.37. It affects an unknown function within the file com/DocSystem/mapping/UserMapper.xml, where manipulation of the Username argument enables the injection.

The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required. Exploitation demands low privileges (PR:L) from the attacker, such as an authenticated user, and results in low impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 6.3; AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

Advisories and references, including GitHub entries with vulnerability analysis and reproduction steps as well as VulDB reports, confirm the exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the issue but provided no response, and no patches or mitigations are mentioned.

The exploit disclosure heightens the risk for deployments of the affected DocSys versions, as it is available for potential immediate use by attackers.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been…

more

disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a network-accessible web application (DocSys) directly enables remote exploitation of a public-facing service without needing additional user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15493Same product: Docsys Project Docsys
CVE-2025-15492Same product: Docsys Project Docsys
CVE-2025-11630Same product: Docsys Project Docsys
CVE-2025-11631Same product: Docsys Project Docsys
CVE-2026-2116Shared CWE-74, CWE-89
CVE-2025-15436Shared CWE-74, CWE-89
CVE-2026-6148Shared CWE-74, CWE-89
CVE-2026-3792Shared CWE-74, CWE-89
CVE-2026-9447Shared CWE-74, CWE-89
CVE-2026-6153Shared CWE-74, CWE-89

Affected Assets

docsys project
docsys
≤ 2.02.37

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs such as the Username argument before it reaches the UserMapper.xml SQL statement, blocking the injection vector.

detect

Enables monitoring of database queries and anomalous SQL patterns originating from the Username parameter to identify active exploitation attempts.

prevent

Limits the privileges of authenticated users who can reach the vulnerable mapper, reducing the confidentiality/integrity/availability impact of a successful injection.

References