EIP-2026-107681

This advisory details a SQL injection vulnerability in HumHub versions 0.11.2 and 0.20.0-beta.2, where the 'from' parameter in the directory stream endpoint is vulnerable to exploitation. The proof of concept includes SQLMap commands demonstrating boolean-based blind, error-based, and time-based blind SQL injection techniques.