CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
When generating a query for finding particular checkbox values, the query was not properly being escaped before being passed onto the database.
Upgrade to the latest version of CiviCRM
Jamie McClelland of Progressive Technology Project for reporting and fixing the issue