CVE-2019-25325

HIGH

Thrive Smart Home 1.1 - SQL Injection

Title source: llm

Description

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsphp

https://www.exploit-db.com/exploits/47814

View Code ZIP pw:eip

References (6)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/47814

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php

[Various Sources] https://packetstorm.news/files/id/155797

[Issue Tracking] https://cxsecurity.com/issue/WLB-2020010019

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/173728

[Third Party Advisory] https://www.vulncheck.com/advisories/thrive-smart-home-smart-home-improper-limitation-o

Scores

CVSS v3 8.2

EPSS 0.0047

EPSS Percentile 64.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Published Feb 12, 2026

Tracked Since Feb 18, 2026