Could possibly use this for a malicious purpose.

Code:
intext:Powered by YOURLS v + intext:Enter a new URL to shorten

POC example

evoc.in is a big site. Right? 
It's vulnerable to this. 

http://evoc.in/s/admin/tools.php

I'm assuming you don't want these linked openly, right?
http://evoc.in/s/admin/index.php - Here you can see the following:
IP addresses, stats, etc. and you can modify the links to something dangerous.

SQLi?

Code:
DB driver: pdo
SELECT `option_name`, `option_value` FROM `yourls_options` WHERE 1=1
Check for new version: no
SELECT COUNT(keyword) as count, SUM(clicks) as sum FROM `yourls_url` WHERE 1=1 
SELECT * FROM `yourls_url` WHERE 1=1  ORDER BY `timestamp` desc LIMIT 0, 15;

# siph0n [2016-06-23]