Critical SQL Injection Exposes Full Transaction Database via Unsecured API Endpoint

A critical SQL injection vulnerability in a core financial API endpoint allows attackers to bypass all access controls and exfiltrate the entire transaction database. The flaw resides in the `/api/v1/transactions` endpoint, where the `account_id` parameter is passed directly into an SQL query without any parameterization or sanitization. This fundamental security failure enables a simple crafted request to dump the complete transaction history for every user, turning a routine search function into a wide-open data breach vector.

The vulnerability is trivially exploitable. A single malformed request, such as `GET /api/v1/transactions?account_id=1' OR '1'='1`, bypasses the intended logic and causes the backend database to return all records instead of triggering an error or a '400 Bad Request' response. This demonstrates a complete lack of input validation and secure coding practices for a component handling highly sensitive financial data. The exposed `src/api/transactions.js` file is the point of failure.

The impact is severe, constituting a direct violation of Payment Card Industry Data Security Standard (PCI-DSS) compliance requirements. The flaw makes full database exfiltration not just a theoretical risk but a straightforward, low-skill attack. Any system using this vulnerable code is exposed to the theft of all transactional records, posing immediate risks of fraud, regulatory penalties, and catastrophic loss of customer trust. The presence of such a basic vulnerability in a financial endpoint signals profound systemic security failures.