In tine up to and including 2023.01.14.325, the sort parameter of the /index.php endpoint allows SQL Injection.
metaways tine