The vhs (aka VHS: Fluid ViewHelpers) extension prior to 5.1.1 for TYPO3 allows SQL injection via isLanguageViewHelper.
vhs project vhs