Pastes can be filtered using the filter parameter and it allows sending raw strings as query filters which are prone to SQL injections.
filter
# The filter parameter of the pastes operation allows escaping the SQL command and inject a SQL payload query { pastes(filter:"aaa ' or 1=1--") { content title } }