Google Search Console coverage reports urls with sql injections

In Coverage section I find couple of urls with Server error 5xx

https://example.com/us/en99999" union select unhex(hex(version())) -- "x"="x/restaurants/pizza-luigi

Surely Google does not launch these on my site.

So I assume this url either:

  1. Should appear on the sitemap
  2. It is generated on the site either by malicious data in the database or malicious script attached. Crawler sees this link on the site and follows it.

Are my assumptions correct?

What I did so far was:

I investigated and ruled out sitemap and database. Also, checked for malicious scripts attached and could not find a single thing.

The way it is constructed points me to this piece of code on every page which is used by scripts to construct url for stuff like modals etc:

Data.init({
    page: {
        languageCode: 'en',
        countryCode: 'us'
    },

    urls: {
        menu: 'https://example.com' + '/{country}/{lang}/restaurants/{slug}'
    }
});

Basically something might be appending sql injection to this variable: languageCode.

How do I find it?

Is there any other possibility for this happening?