OWASP ZAP uses non-existent parameters

While running scans with ZAP, I noticed that many of the reported vulnerabilities involve sending malicious content as a value to a parameter named “query”. For example:


The api method in question, however, does not have a parameter that goes by this name, so I was wondering how the tool could possibly detect a vulnerability with this. ZAP did, in fact, report an SQL Injection vulnerability with “Medium” confidence from using a url like the above, and has had similar results with path traversal and xss.

Could this be a consequence of me not setting up ZAP correctly? Is it possible to for an api to be made to read parameters that the developers did not define? Is ZAP just guessing at the parameters the api uses?