CVE-2026-31843
published 2026-04-16CVE-2026-31843: The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.94%
77.6th percentile
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goodoneuz | pay-uz | <= 2.2.24 | — |
| goodoneuz | pay-uz | 0 – 2.2.24 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files
ghsa·2026-04-16
CVE-2026-31843 [CRITICAL] CWE-284 goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files
goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vuln
VulDB
goodoneuz pay-uz up to 2.2.24 Endpoint update Route::any access control
vuldb·2026-04-16·CVSS 10.0
CVE-2026-31843 [CRITICAL] goodoneuz pay-uz up to 2.2.24 Endpoint update Route::any access control
A vulnerability was found in goodoneuz pay-uz up to 2.2.24 and classified as critical. The impacted element is the function Route::any of the file /payment/api/editable/update of the component Endpoint. Such manipulation leads to improper access controls.
This vulnerability is traded as CVE-2026-31843. The attack may be launched remotely. There is no exploit available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-16
Published