Login Sign Up

CVE-2025-15494

6.3 MEDIUM
SQL Injection

📋 TL;DR

This SQL injection vulnerability in RainyGao DocSys allows attackers to manipulate database queries via the Username parameter. Remote attackers can potentially access, modify, or delete sensitive data in the database. All users of DocSys up to version 2.02.37 are affected.

💻 Affected Systems

Products:
  • RainyGao DocSys
Versions: Up to and including 2.02.37
Operating Systems: All platforms running DocSys
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the UserMapper.xml file and affects the Username parameter handling.

📦 What is this software?

Docsys by Docsys Project

View all CVEs affecting Docsys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the database, potentially including user credentials and document metadata.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub with detailed reproduction steps. Remote exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider upgrading if vendor releases fix or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for Username parameter to reject SQL special characters

Implement parameterized queries or prepared statements in UserMapper.xml

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns in Username parameter

Configure WAF to detect and block SQL injection patterns in POST/GET parameters

🧯 If You Can't Patch

  • Isolate DocSys instance behind firewall with strict network access controls
  • Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Check if DocSys version is 2.02.37 or earlier. Test Username parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in DocSys interface or configuration files

Verify Fix Applied:

Test with SQL injection payloads after implementing parameterized queries or input validation

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web application
  • SQL syntax errors in application logs
  • Multiple failed login attempts with special characters

Network Indicators:

  • HTTP requests containing SQL keywords in Username parameter
  • Unusual database connection patterns from web server

SIEM Query:

web.url:*DocSys* AND (web.param.username:*OR* OR web.param.username:*UNION* OR web.param.username:*SELECT*)

📊 Metadata

CVE ID: CVE-2025-15494
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (9th percentile)
Published: January 9, 2026
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15494, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)