Critical SQL Injection Exposes Full Transaction Database via Unsecured API Endpoint

A critical SQL injection vulnerability in a core financial API endpoint allows attackers to bypass all access controls and exfiltrate the entire transaction database. The flaw resides in the `/api/v1/transactions` endpoint, where the `account_id` parameter is directly concatenated into a SQL query without any parameterization or sanitization. This creates a direct pipeline from a simple HTTP request to the application's underlying database, enabling complete data extraction.

The vulnerability is trivially exploitable. A malicious actor can append a basic SQL payload, such as `1' OR '1'='1`, to the `account_id` parameter. Instead of returning a 400 Bad Request error or an empty result set, the system executes the injected command and returns the transaction history for every account in the database. This exposes highly sensitive financial records, including those governed by PCI-DSS compliance standards, to unauthorized access.

This security failure represents a severe data breach risk and a clear violation of payment card industry security mandates. The ability to perform full database exfiltration via a single unauthenticated endpoint suggests a fundamental breakdown in secure coding practices for handling user input. The incident places immense pressure on the responsible development and security teams to immediately patch the endpoint, audit all similar query patterns, and assess the potential scope of any unauthorized data access that may have already occurred.