At line 260 of (mod.freeform.php), you should ‘maybe’ mysql_real_escape_string the ‘form_name’ parameter in case someone decides to put a single quote into their form name.  I say ‘maybe’ because this issue only appears when logged in ... does EE handle templates differently based on a user’s logged-in status?

Good one. We’ll wrap that param inside $DB->escape_str() in a next build.

mk