CiviCRM Versions 5.10.2 and earlier
CiviCRM versions 5.10.3 and 5.7.4
When populating the "PrevNext" cache, some values were not properly escaped - which enabled a SQL-injection (SQLI) vulnerability.
Upgrade to the latest version of CiviCRM
Tim Otten of CiviCRM for reporting the issue
Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue