Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.
PUBLISHED5.2CWE-94
Scramble: Remote code execution via evaluation of user-controlled input in validation rules
Problem type
Affected products
dedoc
scramble
>= 0.13.2, < 0.13.22 - AFFECTED
References
https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39
https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39
https://github.com/dedoc/scramble/releases/tag/v0.13.22
https://github.com/dedoc/scramble/releases/tag/v0.13.22
GitHub Security Advisories
GHSA-4rm2-28vj-fj39
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
https://github.com/advisories/GHSA-4rm2-28vj-fj39Impact
A remote code execution (RCE) vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.
Patches
Fixed in version 0.13.22.
Workarounds
If upgrading is not immediately possible:
- Restrict access to documentation endpoints (
/docs/api,/docs/api.json) - Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input)
- Disable documentation endpoints in production environments if not required
These measures significantly reduce or prevent exploitability.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44262Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44262",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-05-12T20:56:01.046Z",
"dateReserved": "2026-05-05T16:33:55.844Z",
"datePublished": "2026-05-12T20:56:01.046Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-05-12T20:56:01.046Z"
},
"title": "Scramble: Remote code execution via evaluation of user-controlled input in validation rules",
"descriptions": [
{
"lang": "en",
"value": "Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22."
}
],
"affected": [
{
"vendor": "dedoc",
"product": "scramble",
"versions": [
{
"version": ">= 0.13.2, < 0.13.22",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-94: Improper Control of Generation of Code ('Code Injection')",
"cweId": "CWE-94",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39",
"name": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/dedoc/scramble/releases/tag/v0.13.22",
"name": "https://github.com/dedoc/scramble/releases/tag/v0.13.22",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL"
}
}
]
}
}
}