CVE-2026-44262

Name of the Vulnerable Software and Affected Versions Scramble versions 0.13.2 through 0.13.21

Description When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation. This can lead to remote code execution (RCE), allowing arbitrary PHP code to be executed within the application context.

Recommendations Update to version 0.13.22. Restrict access to the endpoints "/docs/api" and "/docs/api.json". Avoid using user-controlled variables inside validation rule expressions. Disable documentation endpoints in production environments if they are not required.