CVE-2026-44262

CRITICAL NUCLEI LAB

Scramble: Remote code execution via evaluation of user-controlled input in validation rules

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-44262. PoCs published by joshua, dwisiswant0, joshuavanderpoll. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional exploit for CVE-2026-44262, targeting a remote code execution vulnerability in dedoc/scramble versions >=0.13.2 and <0.13.22. The exploit leverages an eval() injection in NodeRulesEvaluator::doEvaluateExpression() via a crafted query parameter on /docs/api.json.

Description

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

Exploits (3)

exploitdb WORKING POC
by joshua · pythonwebappsphp
https://www.exploit-db.com/exploits/52582

This is a functional exploit for CVE-2026-44262, targeting a remote code execution vulnerability in dedoc/scramble versions >=0.13.2 and <0.13.22. The exploit leverages an eval() injection in NodeRulesEvaluator::doEvaluateExpression() via a crafted query parameter on /docs/api.json.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: dedoc/scramble (>=0.13.2, <0.13.22)
No auth needed
Prerequisites: Access to /docs/api.json endpoint · Vulnerable parameter in OpenAPI spec
devstral-2 · analyzed May 28, 2026 Full analysis →
github WORKING POC 1 stars
by dwisiswant0 · pythonpoc
https://github.com/dwisiswant0/neo-pocs/tree/master/2026/CVE-2026-44262

This repository contains a functional exploit for CVE-2026-44262, demonstrating remote code execution via eval injection in the dedoc/scramble Laravel package. The exploit leverages variable name collision in the NodeRulesEvaluator to inject arbitrary PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: dedoc/scramble (Composer/PHP) versions >= 0.13.2, <= 0.13.21
No auth needed
Prerequisites: Scramble <= 0.13.21 installed in a Laravel application · Documentation endpoint (/docs/api.json) accessible without authentication · At least one route with a FormRequest defining a $code variable from request input
devstral-2 · analyzed May 14, 2026 Full analysis →
github WORKING POC 1 stars
by joshuavanderpoll · bladepoc
https://github.com/joshuavanderpoll/CVE-2026-44262

This repository contains a functional exploit for CVE-2026-44262, targeting an unauthenticated RCE vulnerability in dedoc/scramble via a PHP code injection flaw in the NodeRulesEvaluator::doEvaluateExpression() function. The exploit leverages a query parameter on /docs/api.json to overwrite internal variables and execute arbitrary PHP code.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: dedoc/scramble >=0.13.2, <0.13.22
No auth needed
Prerequisites: Access to /docs/api.json endpoint · Target running vulnerable version of dedoc/scramble
devstral-2 · analyzed May 17, 2026 Full analysis →

Nuclei Templates (1)

Scramble Laravel - Remote Code Execution
CRITICALVERIFIEDby joshuavanderpoll

References (2)

Core 2
Core References

Scores

CVSS v3 9.4
EPSS 0.0861
EPSS Percentile 92.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab

Details

CWE
CWE-94
Status published
Products (2)
dedoc/scramble 0.13.2 - 0.13.22Packagist
dedoc/scramble >= 0.13.2, < 0.13.22
Published May 12, 2026
Tracked Since May 13, 2026