VYPR
Unrated severityNVD Advisory· Published Mar 4, 2026· Updated Apr 7, 2026

FreeSMS 2.1.2 Authentication Bypass via SQL Injection

CVE-2019-25506

Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • FreeSMS/FreeSMSllm-create2 versions
    = 2.1.2+ 1 more
    • (no CPE)range: = 2.1.2
    • (no CPE)range: 2.1.2

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.