← back
CVE-2026-44262

Scramble: Remote code execution via evaluation of user-controlled input in validation rules

CVSS 9.4 CRITICALEPSS 5.9%CWE-94
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Affected products
dedoc · scramble
public PoCs found1
exploitdbwww.exploit-db.com/exploits/52582unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/dedoc/scramble/releases/tag/v0.13.22https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39