CVE-2026-44262

Scramble · Scramble

Scramble API documentation generator for Laravel is vulnerable to remote code execution when validation rules process user-supplied data during documentation generation.

Executive summary

A critical remote code execution vulnerability in the Scramble package for Laravel allows unauthenticated attackers to execute arbitrary PHP code.

Vulnerability

This is an arbitrary code execution vulnerability occurring during the automated generation of API documentation. An unauthenticated attacker can trigger this by providing malicious input to validation rules that the documentation generator then evaluates within the application context.

Business impact

Successful exploitation results in full server compromise, as the attacker gains the ability to execute arbitrary PHP code with the privileges of the web application. Given the CVSS score of 9.4, this poses an extreme risk of data exfiltration, service disruption, and complete loss of system integrity.

Remediation

Immediate Action: Upgrade the Scramble package to version 0.13.22 or higher immediately.

Proactive Monitoring: Review web application logs for suspicious input patterns or unexpected execution errors originating from documentation routes.

Compensating Controls: Restrict access to API documentation endpoints to authorized internal IP addresses using firewall rules or web server access controls.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability represents a critical threat to the confidentiality and integrity of the hosting environment. Organizations utilizing Scramble within Laravel projects must prioritize patching to version 0.13.22 to eliminate the risk of remote code execution.