Remote Code Execution Vulnerability (CVE‑2026‑44262) Discovered in Scramble PHP Web Application Framework
What Happened – A remote code execution (RCE) flaw (CVE‑2026‑44262) was identified in the open‑source Scramble PHP library (versions ≥ 0.13.2 and < 0.13.22). An attacker can inject arbitrary PHP via a crafted query parameter to /docs/api.json, causing the library’s NodeRulesEvaluator::doEvaluateExpression() to execute the payload.
Why It Matters for TPRM –
- The vulnerability can be weaponised by threat actors to gain full server control, exposing downstream customers’ data.
- Scramble is often embedded in SaaS platforms and internal tools, creating a supply‑chain risk for any organization that relies on third‑party software that bundles the library.
- Exploits are publicly available, raising the likelihood of opportunistic attacks against unpatched deployments.
Who Is Affected – SaaS providers, cloud‑native applications, and any organization that integrates the Scramble PHP component (primarily TECH_SAAS and OTHER vendor types).
Recommended Actions –
- Immediately upgrade to Scramble ≥ 0.13.22 or apply the vendor‑provided patch.
- Conduct an inventory of all applications that include the vulnerable versions.
- Review web‑application firewalls (WAF) rules to block unexpected query parameters to
/docs/api.json. - Monitor logs for anomalous requests and file writes to
/tmporC:\Windows\Temp.
Technical Notes – The flaw stems from unsafe use of extract() and eval() in NodeRulesEvaluator::doEvaluateExpression(). An attacker supplies a malicious code parameter that overwrites the internal $code variable, leading to arbitrary PHP execution. No CVE‑linked exploits were observed in the wild at the time of disclosure, but proof‑of‑concept code is publicly available on GitHub. Source: Exploit‑DB 52582