Headline
CVE-2019-7164: fully deprecate textual coercion in where(), filter(), order_by(), add docnotes not to pass untrusted input to thsee · Issue #4481 · sqlalchemy/sqlalchemy
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.