Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules — CVE-2026-44262
GitHub · GitHub · CVE-2026-44262
ID
CVE-2026-44262
CVE-2026-44262
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
critical
critical
CVSS
9.4
9.4
EPSS
0.00076
0.00076
Summary
### Impact A remote code execution (RCE) vulnerability affects versions `0.13.2` through `0.13.21`. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. ### Patches Fixed in version `0.13.22`. ### Workarounds If upgrading…
Product
composer: dedoc/scramble
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.