CVE-2026-44262

Scramble: Remote code execution via evaluation of user-controlled input in validation rules

CVSS 9.4 CRITICALEPSS 5.9%CWE-94

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.4EPSS 5.9%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Lifecycle

12 May 2026Published on NVD

27 May 2026Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Affected products

dedoc · scramble

public PoCs found — 1

exploitdbwww.exploit-db.com/exploits/52582unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/dedoc/scramble/releases/tag/v0.13.22 https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39