The dated_news (aka Dated News) extension up to and including 5.1.1 for TYPO3 allows SQL Injection.
dated news project dated news