Previously there was no validation of the passed in grp url parameter which was passed in to the grouping part of an SQL which allowed for SQL injection possibility. The SQL to list the reports has now been re-written to properly validate all variables that are used in the SQL.
CiviCRM Versions prior to 4.7.26 and 4.6.33
CIviCRM Versions 4.7.26 and 4.6.33
Upgrade to the latest version of CiviCRM
If you cannot upgrade you should apply the following patch:
Sean Madsen of Left Join Labs for reporting and fixing the issue.