🚨 BREAKING

CVE-2026-44262: Critical RCE in Laravel Scramble API Docs

/CRITICAL /CVSS 9.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitycwe-94
CVE-2026-44262: Critical RCE in Laravel Scramble API Docs

A critical remote code execution (RCE) vulnerability, CVE-2026-44262, has been identified in Scramble, a tool for generating API documentation for Laravel projects. According to the National Vulnerability Database, versions 0.13.2 through to before 0.13.22 are affected. The flaw stems from how Scramble processes user-controlled input within validation rules during documentation generation when endpoints are publicly accessible.

This vulnerability, rated 9.4 CRITICAL on the CVSS scale, allows for the execution of arbitrary PHP code within the application’s context. The National Vulnerability Database highlights that the core issue lies in the evaluation of request-supplied data, which attackers can manipulate to inject and run malicious code. This is a severe oversight, especially given the ease of exploitation with no authentication required.

Defenders need to understand the attacker’s calculus here: publicly exposed API documentation endpoints are low-hanging fruit. If an attacker can simply send crafted input to trigger RCE, it’s game over. The fix, available in Scramble version 0.13.22, directly addresses this code execution vector. Patching is not optional; it’s an immediate imperative for any organization running vulnerable versions.

What This Means For You

  • If your organization uses Laravel Scramble for API documentation, immediately verify your version. If it's between 0.13.2 and before 0.13.22, you are vulnerable to CVE-2026-44262. Update to version 0.13.22 or newer without delay. Furthermore, review if your API documentation endpoints are publicly accessible and, if so, reassess that exposure.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44262: Laravel Scramble API Docs RCE via Documentation Endpoint

Sigma YAML — free preview 
title: CVE-2026-44262: Laravel Scramble API Docs RCE via Documentation Endpoint
id: scw-2026-05-12-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-44262 by accessing Laravel Scramble API documentation endpoints with specific query parameters that could trigger the RCE vulnerability. This targets the initial access vector where unauthenticated users can trigger code execution by manipulating documentation generation requests.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44262/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/documentation'
      cs-uri-query|contains:
          - 'response_type='
          - 'request_type='
      cs-method|exact:
          - 'GET'
      sc-status|exact:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44262 RCE Scramble API documentation generator for Laravel versions 0.13.2 to before 0.13.22
CVE-2026-44262 RCE Publicly accessible documentation endpoints in Scramble
CVE-2026-44262 RCE Validation rules referencing user-controlled input during documentation generation in Scramble
CVE-2026-44262 RCE Arbitrary PHP code execution via request supplied data evaluation in Scramble

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma