The vulnerability stems from constructing SQL queries using string interpolation instead of prepared statements. The commit diff shows:

1. In GetChatModerationHistory: Raw ORDER BY query without parameters
2. In GetChatHistory: fmt.Sprintf for LIMIT clause value
3. In SetMessageVisibilityForUserID: Unsafe userID interpolation in WHERE clause All these patterns allow injection of malicious SQL payloads. The patch replaces them with parameterized queries using ? placeholders and tx.Prepare(), confirming these were the vulnerable points.