Good question! NodeBB is built with security in mind as well as speed and ease of use. Fortunately for us, the Node.js community is very active in maintaining security, and our part is keeping NodeBB up-to-date with the latest Node.js versions.
In addition, we try not to reinvent the wheel by making our own subsystems and modules when another one already exists online. For example, we hash passwords using the well-known bcrypt library, instead of creating our own hashing mechanism. These abstractions are used all over NodeBB to ensure that critical parts of the application are exposed to as much scrutiny as possible. We try to keep these dependencies as up to date as possible.
As for SQL Injection -- we don't use SQL, so there's no risk of that. We also take care to not blindly pass in whatever the user passes in, and use a library that automatically sanitizes anything a user sends in. Again, that is another component (node_redis) that is maintained elsewhere, and is subject to much more rigorous scrutiny than NodeBB itself is.
I hope that answers your questions