What are GQL injections? You mean something like SQL injections that come through the graphql API?

Exactly. Suppose you have a front end system that captures user input, and then the backend communicates with another system using the input data. If not properly escaped and is concatenated then it can lead to an injection attack just like regular sql.

I find the terminology strange.

The exact same can happen with a standard REST api. In fact, it's even more likely since there is no type system to assist there.

Would you then call it REST injections too?