SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.
albonico simplecalendar 3.1.9