Silverstripe silverstripe/framework up to and including 4.11 allows SQL Injection.
silverstripe framework