CVE-2026-44262 | THREATINT

Description

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

PUBLISHED Reserved 2026-05-05 | Published 2026-05-12 | Updated 2026-05-13 | Assigner GitHub_M

CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

>= 0.13.2, < 0.13.22

affected

References

github.com/...ramble/security/advisories/GHSA-4rm2-28vj-fj39

github.com/dedoc/scramble/releases/tag/v0.13.22

cve.org (CVE-2026-44262)

nvd.nist.gov (CVE-2026-44262)

Download JSON