Threat Advisory

Critical Scramble Vulnerability Enables Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44262 with a CVSS score of 9.4 is a remote code execution vulnerability affecting versions 0.13.2 through 0.13.21 of Scramble, a GitHub project. The vulnerability arises when documentation endpoints are publicly accessible and validation rules reference user-controlled input, allowing request supplied data to be evaluated during documentation generation, leading to the execution of arbitrary PHP code in the application context. An attacker can exploit this vulnerability by sending a malicious request to the affected documentation endpoint, requiring no privileges or user interaction, and gaining the capability to execute arbitrary code on the application. If exploited, this vulnerability can result in significant business impact and consequences, including unauthorized data access, modification, and loss of component availability. Prerequisites for exploitation include public accessibility of documentation endpoints and the presence of user-controlled variables within validation rule expressions.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44262 with a CVSS score of 9.4 is a remote code execution vulnerability affecting versions 0.13.2 through 0.13.21 of Scramble, a GitHub project. The vulnerability arises when documentation endpoints are publicly accessible and validation rules reference user-controlled input, allowing request supplied data to be evaluated during documentation generation, leading to the execution of arbitrary PHP code in the application context. An attacker can exploit this vulnerability by sending a malicious request to the affected documentation endpoint, requiring no privileges or user interaction, and gaining the capability to execute arbitrary code on the application. If exploited, this vulnerability can result in significant business impact and consequences, including unauthorized data access, modification, and loss of component availability. Prerequisites for exploitation include public accessibility of documentation endpoints and the presence of user-controlled variables within validation rule expressions.[emaillocker id="1283"]

RECOMMENDATION:

  • We recommend you to update Scramble to version 0.13.22.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-4rm2-28vj-fj39

[/emaillocker]
crossmenu