J2EEFAST v2.7.0 exists to contain a SQL injection vulnerability via the findPage function in BpmTaskFromMapper.xml .