A SQL injection vulnerability in the tracker functionality of Enalean Tuleap software engineering platform before 9.18 allows attackers to execute arbitrary SQL commands.