This is a list of SQLI-XSS vulnerabilities I have found in freely available php/mySQL projects.
20 sep 2009
SQLI in myBB. Allows for modifying fields in the user table.
Issue 1 (inc/functions_upload.php) is me.
http://blog.mybboard.net/2009/09/21/mybb-1-4-9-released-security-update/
7 sep 2009
SQLI in fluxbb (1.4beta2 vulnerable, current stable being 1.2.22)
http://fluxbb.org/trac/changeset/1136
31 aug 2009
XSS in fluxbb
http://fluxbb.org/forums/topic/3222/fluxbb1222-released/
29 aug 2009
XSS through SQL Injection in Lazarus GB
http://carbonize.co.uk/Lazarus/Forum/index.php?topic=1929.0