Code Execution Vulnerability in Scramble for Laravel Projects
CVE-2026-44262

9.4CRITICAL

Key Information:

Vendor: Dedoc
Status: Scramble
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44262?

Scramble, a tool for generating API documentation in Laravel applications, contains a vulnerability that affects versions from 0.13.2 to prior to 0.13.22. This issue arises when documentation endpoints are made publicly accessible and validation rules reference user-controlled input. Consequently, supplied data may be evaluated during the documentation generation process, potentially allowing an attacker to execute arbitrary PHP code within the application context. This vulnerability has been addressed in version 0.13.22.

Affected Version(s)

scramble >= 0.13.2, < 0.13.22

References

https://github.com/dedoc/scramble/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/dedoc/scramble/releases/tag/v0.13.22

x_refsource_MISC

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44262 Data

JSON

Dedoc

What is CVE-2026-44262?

Affected Version(s)

References

CVSS V3.1

Timeline