SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be controlled.
{ "cwe_ids": [ "CWE-89" ], "nvd_published_at": "2019-02-06T21:29:00Z", "github_reviewed_at": "2020-06-16T20:54:34Z", "github_reviewed": true, "severity": "CRITICAL" }