CVE-2019-25325 HIGH

CVE-2019-25325: Thrive Smart Home 1.1 - 'Smart Home' Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vendor Thrive
Product Smart Home
Weakness CWE-89 · SQLi
Published February 12, 2026
Last update March 5, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
March 5, 2026 Record updated

Related vulnerabilities

04Related CVE