BEdita up to and including 4.0.0-RC2 allows SQL injection during a save operation for a relation with parameters.
bedita bedita 4.0.0
bedita bedita