[CRITICAL] SQL Injection in /login Endpoint Exploited in Production — Authentication Bypass Confirmed

A critical SQL injection vulnerability in a production authentication system has been actively exploited, allowing attackers to bypass login security. The flaw, located in the `/login` endpoint, was detected through production log analysis, confirming that an attacker successfully authenticated as an administrative user using a simple injection payload. This incident exposes a fundamental failure in input sanitization, directly compromising the core authentication mechanism.

The vulnerability stems from the `login()` function in `app/app.py`, which constructs SQL queries using Python f-strings with unsanitized user input. The specific code `query = f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"` is directly executed, creating a textbook injection point. Evidence from the logs shows an attacker submitted a payload with the username `admin' --` and an arbitrary password, which manipulated the query to log in as the `admin` account without a valid password.

This active exploitation signals a severe security lapse, placing all user data and system integrity at immediate risk. The incident triggers urgent scrutiny of the codebase for similar patterns and demands a comprehensive review of authentication and data access controls. The fact that such a basic vulnerability reached and was exploited in a production environment raises critical questions about the security review and deployment processes in place.