Scramble: Remote code execution via evaluation of user-controlled input in...

9.4 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

Basic Information

ID CVE-2026-44262

Source GitHub_M

Published May 12, 2026 at 20:56

Affected Product

Vendor dedoc

Product scramble

Version >= 0.13.2, < 0.13.22

Affected Versions dedoc scramble >= 0.13.2, < 0.13.22

CWE Classification

CWE-94

References

{
    "lastseen": "",
    "description": "Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.",
    "published": "2026-05-12T20:56:01.046Z",
    "modified": "2026-05-12T20:56:01.046Z",
    "type": "cve",
    "title": "Scramble: Remote code execution via evaluation of user-controlled input in validation rules",
    "source": "GitHub_M",
    "references": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39\nhttps://github.com/dedoc/scramble/releases/tag/v0.13.22",
    "id": "CVE-2026-44262",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "dedoc scramble >= 0.13.2, < 0.13.22",
    "sourceHref": "",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "scramble",
    "version": ">= 0.13.2, < 0.13.22",
    "vendor": "dedoc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Scramble: Remote code execution via evaluation of user-controlled input in validation rules_CVE-2026-44262