When populating the "PrevNext" cache, some values were not properly escaped - which enabled a SQL-injection (SQLI) vulnerability.
CiviCRM Versions 5.10.2 and earlier
CiviCRM versions 5.10.3 and 5.7.4
Upgrade to the latest version of CiviCRM
Tim Otten of CiviCRM for reporting the issue
Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue