{"id":"CVE-2026-44262","summary":"Scramble: Remote code execution via evaluation of user-controlled input in validation rules","details":"Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.","aliases":["GHSA-4rm2-28vj-fj39"],"modified":"2026-07-08T08:13:46.352701064Z","published":"2026-05-12T20:56:01.046Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44262.json","cwe_ids":["CWE-94"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/dedoc/scramble/releases/tag/v0.13.22"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44262.json"},{"type":"ADVISORY","url":"https://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44262"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dedoc/scramble","events":[{"introduced":"0879b46a2b398e7e55598f5a25e0783c3e3ae43c"},{"fixed":"b54b0c43bdebaa01f66cc3dfdd8f91e19b12da96"}],"database_specific":{"source":["AFFECTED_FIELD","DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0.13.2"},{"fixed":"0.13.22"},{"introduced":"0"}]}}],"versions":["v0.13.21","v0.13.20","v0.13.19","v0.13.18","v0.13.17","v0.13.16","v0.13.15","v0.13.14","v0.13.13","v0.13.12","v0.13.11","v0.13.10","v0.13.9","v0.13.8","v0.13.7","v0.13.6","v0.13.5","v0.13.4","v0.13.3","v0.13.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44262.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"}]}