cPanel before 11.54.0.4 allows SQL injection in bin/horde_update_usernames (SEC-71).
No related bugs.