It has been brought to my attention that an old version (1.0.4) of QContacts is reported on some online databases of vulnerable software as affected by an SQL Injection vulnerability. So even in the worst case this supposed vulnerability would affect an outdated version no longer available for download on this site at the time of the report.
However I've carefully reviewed code of both 1.0.4 and the latest version and verified that exploit doesn't work: all query string parameters are properly sanitized and no SQL injection is possible.
I've contacted mantainers of Joomla Vulnerable Extensions List to have a link to this note published, as QContacts is now listed there because of that report.






