On the current version of development, the Commands.cpp file allows a user to submit a raw string to the DB, allowing for SQL Injection.

The methods in CDClient.cpp that are affected are:
CDClient::isAnimationValid
CDClient::getTemplateFromName

Fix: Use params in the SACommand object instead of concatenating strings.
More about those here