CVE-2026-44262

Description

### Impact A remote code execution (RCE) vulnerability affects versions `0.13.2` through `0.13.21`. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. ### Patches Fixed in version `0.13.22`. ### Workarounds If upgrading is not immediately possible: * Restrict access to documentation endpoints (`/docs/api`, `/docs/api.json`) * Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input) * Disable documentation endpoints in production environments if not required These measures significantly reduce or prevent exploitability.

Affected packages (1)

• Packagist/dedoc/scramble>= 0.13.2, < 0.13.22

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44262
• PATCHhttps://github.com/dedoc/scramble
• WEBhttps://github.com/dedoc/scramble/releases/tag/v0.13.22
• WEBhttps://github.com/dedoc/scramble/security/advisories/GHSA-4rm2-28vj-fj39