The _domain field is not protected against SQL injection.
/ws/rest/com.axelor.meta.db.MetaMenu/search have a payload that can be tampered as such to allow an SQL Injection.
Hello,
Thank you so much for letting us know about this! We shall communicate with our team and keep you informed of any updates in a timely manner.
Regards,