Thank you for highlighting this issue.
I see where this message is coming from and I can assure you that it is not exploitable as an SQL injection because the input is filtered and any SQL or Javascript is removed and the error is caught in the code. What is incorrect is to output an error message as opposed to silently returning no results.
I will resolve this in the next release due in the next few days