CVE-2015-7903

Infinite Automation Mango Automation <2.6.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7903.

AI-analyzed exploit summary The exploit demonstrates an authenticated arbitrary JSP file upload vulnerability in Mango Automation 2.5.2 and 2.6.0 beta, allowing remote code execution via a malicious JSP file uploaded through the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF-based arbitrary command execution exploit and details for other vulnerabilities like SQL injection and debug log exposure.

Description

SQL injection vulnerability in Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Exploits (1)

exploitdb WORKING POC
webappsjsp
https://www.exploit-db.com/exploits/38338

The exploit demonstrates an authenticated arbitrary JSP file upload vulnerability in Mango Automation 2.5.2 and 2.6.0 beta, allowing remote code execution via a malicious JSP file uploaded through the 'graphicalViewsBackgroundUpload' endpoint. It also includes a CSRF-based arbitrary command execution exploit and details for other vulnerabilities like SQL injection and debug log exposure.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mango Automation 2.5.2 and 2.6.0 beta (build 327)
Auth required
Prerequisites: Authenticated session · Access to the target application
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References
Patch, Third Party Advisory, US Government Resource x_refsource_misc
https://ics-cert.us-cert.gov/advisories/ICSA-15-300-02

Scores

EPSS 0.0129
EPSS Percentile 66.4%

Details

CWE
CWE-89
Status published
Products (3)
infinite_automation_systems/mango_automation 2.5.0
infinite_automation_systems/mango_automation 2.5.5
infinite_automation_systems/mango_automation 2.6.0
Published Oct 28, 2015
Tracked Since Feb 18, 2026