CVE-2026-44262
CriticalSummary
Scramble generates API documentation for Laravel projects. From versions 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context.
Risk Assessment
This vulnerability may lead to the execution of malicious PHP code, posing a serious threat to the security of the application and user data. Organizations should be aware of the risks associated with publicly accessible documentation endpoints.
Recommendation
It is recommended to upgrade to version 0.13.22 or later to mitigate this vulnerability. Additionally, access to documentation endpoints should be restricted to trusted users.
Original NVD description (English source)
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

