Hibernate, by itself, is not prone to SQL injection attacks. However, the application may be vulnerable to SQL injection attacks if user input is concatenated with the HQL or Criteria queries.
