I mean, this seems equivalent to reporting a vulnerability in JDBC, because JDBC lets me execute arbitrary SQL.