Unrated severityNVD Advisory· Published Mar 4, 2026· Updated Apr 7, 2026

FreeSMS 2.1.2 Authentication Bypass via SQL Injection

CVE-2019-25506

Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

Affected products

FreeSMS/FreeSMSllm-create
Range: = 2.1.2
Freesms/FreeSMSv5
Range: 2.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.exploit-db.com/exploits/46658mitreexploit
www.vulncheck.com/advisories/freesms-authentication-bypass-via-sql-injectionmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000