If you specify the SMS destination as "localhost<plaintext>" and send a test message the output is corrupted due to the value not being escaped.
Unlikely to be exploited directly, but in association with other bugs.