When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.
CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
Upgrade to the latest version of CiviCRM
Jamie McClelland of Progressive Technology Project for reporting and fixing the issue