CVE-2019-25506 HIGH

CVE-2019-25506: FreeSMS 2.1.2 Authentication Bypass via SQL Injection

Vendor Freesms

Product FreeSMS

Weakness CWE-89 · SQLi

Published March 4, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

Key dates

02Disclosure timeline

March 4, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25506

Related vulnerabilities

CVE-2019-25506: FreeSMS 2.1.2 Authentication Bypass via SQL Injection

01Description

02Disclosure timeline

03References

04Related CVE