The currently selected widget values were not correctly sanitized before passing it to the database, leading to an SQL injection possibility.
The issue has been patched in tablelookupwizard version 3.3.5 and version 4.0.0.
If you have any questions or comments about this advisory:
github.com/FriendsOfPHP/security-advisories/blob/master/terminal42/contao-tablelookupwizard/2022-02-04-1.yaml
github.com/terminal42/contao-tablelookupwizard
github.com/terminal42/contao-tablelookupwizard/commit/a5e723a28f110b7df8ffc4175cef9b061d3cc717
github.com/terminal42/contao-tablelookupwizard/security/advisories/GHSA-v3mr-gp7j-pw5w