The vulnerability stems from two key areas: 1) The original NewSortParameter() function directly used user-controlled sort keys in SQL ORDER BY clauses without validation. 2) The ParseFilters() function allowed arbitrary entity/field references in filter expressions. The commit adds validation through allowed column sets (models.*Columns) and entity relationship checks, indicating these were previously missing safeguards. Both functions handled user-controlled input that was directly incorporated into SQL queries without proper whitelisting, making them prime injection vectors.