Arbitrary Code Injection Affecting dedoc/scramble package, versions >=0.13.2, <0.13.22


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
Exploit Maturity
Proof of Concept
EPSS
5.86% (93rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PHP-DEDOCSCRAMBLE-16438205
  • published7 May 2026
  • disclosed6 May 2026
  • creditFORIMOC

Introduced: 6 May 2026

CVE-2026-44262  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade dedoc/scramble to version 0.13.22 or higher.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Injection in the evaluation of user-controlled input within validation rules during documentation generation. An attacker can execute arbitrary code by supplying crafted data to documentation endpoints when they are publicly accessible and validation rules reference user input.

Workaround

This vulnerability can be mitigated by restricting access to documentation endpoints, avoiding the use of user-controlled variables inside validation rule expressions, or disabling documentation endpoints in production environments if not required.

CVSS Base Scores

version 4.0
version 3.1