SQL injection vulnerability in the login form in HLstats 1.20 through 1.34 allows remote attackers to execute arbitrary SQL commands via the killLimit parameter.

HLstats 1.20 through 1.34 allows remote attackers to obtain sensitive information via playinfo mode, with certain values of the player and playerdata[lastName][] parameters, which reveals the path in an error message.