CVE-2026-44262
CRITICAL9.4EPSS 8.6%Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
描述
### Impact A remote code execution (RCE) vulnerability affects versions `0.13.2` through `0.13.21`. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. ### Patches Fixed in version `0.13.22`. ### Workarounds If upgrading is not immediately possible: * Restrict access to documentation endpoints (`/docs/api`, `/docs/api.json`) * Avoid using user-controlled variables inside validation rule expressions (e.g., values derived from request input) * Disable documentation endpoints in production environments if not required These measures significantly reduce or prevent exploitability.
受影響套件(1)
- Packagist/dedoc/scramble>= 0.13.2, < 0.13.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |