CVE Catalog

CVE-2026-44262

Critical
Published: Translated: NVD NIST

Summary

Scramble generates API documentation for Laravel projects. From versions 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.

Risk Assessment

This vulnerability may lead to the execution of malicious PHP code, posing a serious threat to the security of the application and user data. Organizations should be aware of the risks associated with publicly accessible documentation endpoints.

Recommendation

It is recommended to upgrade to version 0.13.22 or later to mitigate this vulnerability. Additionally, access to documentation endpoints should be restricted to trusted users.

Original NVD description (English source)

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS