Vulnerability-Lookup

GHSA-4RM2-28VJ-FJ39

Vulnerability from github – Published: 2026-05-06 19:54 – Updated: 2026-05-13 16:41

Summary

Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules

Details

Impact

A remote code execution (RCE) vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.

Patches

Fixed in version 0.13.22.

Workarounds

If upgrading is not immediately possible:

Restrict access to documentation endpoints (/docs/api, /docs/api.json)
Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input)
Disable documentation endpoints in production environments if not required

These measures significantly reduce or prevent exploitability.

Severity

9.4 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.13.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "dedoc/scramble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.13.2"
            },
            {
              "fixed": "0.13.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T19:54:56Z",
    "nvd_published_at": "2026-05-12T22:16:36Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nA remote code execution (RCE) vulnerability affects versions `0.13.2` through `0.13.21`. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.\n\n### Patches\n\nFixed in version `0.13.22`.\n\n### Workarounds\n\nIf upgrading is not immediately possible:\n\n* Restrict access to documentation endpoints (`/docs/api`, `/docs/api.json`)\n* Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input)\n* Disable documentation endpoints in production environments if not required\n\nThese measures significantly reduce or prevent exploitability.",
  "id": "GHSA-4rm2-28vj-fj39",
  "modified": "2026-05-13T16:41:47Z",
  "published": "2026-05-06T19:54:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44262"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dedoc/scramble"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dedoc/scramble/releases/tag/v0.13.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules"
}

CVE-2026-44262 (GCVE-0-2026-44262)

Vulnerability from cvelistv5 – Published: 2026-05-12 20:56 – Updated: 2026-05-13 14:53

Title

Scramble: Remote code execution via evaluation of user-controlled input in validation rules

Summary

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

Severity

9.4 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/dedoc/scramble/security/adviso…	x_refsource_CONFIRM
https://github.com/dedoc/scramble/releases/tag/v0.13.22	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
dedoc	scramble	Affected: >= 0.13.2, < 0.13.22

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44262",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:52:35.638169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:53:20.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "scramble",
          "vendor": "dedoc",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.13.2, \u003c 0.13.22"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T20:56:01.046Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39"
        },
        {
          "name": "https://github.com/dedoc/scramble/releases/tag/v0.13.22",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dedoc/scramble/releases/tag/v0.13.22"
        }
      ],
      "source": {
        "advisory": "GHSA-4rm2-28vj-fj39",
        "discovery": "UNKNOWN"
      },
      "title": "Scramble: Remote code execution via evaluation of user-controlled input in validation rules"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44262",
    "datePublished": "2026-05-12T20:56:01.046Z",
    "dateReserved": "2026-05-05T16:33:55.844Z",
    "dateUpdated": "2026-05-13T14:53:20.142Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted