CVE-2026-31843
Deferred Deferred - Pending Action
Unauthenticated Remote Code Execution in goodoneuz/pay-uz Laravel Package

Publication date: 2026-04-16

Last updated on: 2026-05-19

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-05-19
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31843
EUVD
EUVD-2026-23225
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
goodoneuz pay-uz to 2.2.24 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated remote code execution by overwriting PHP payment hook files, which can lead to unauthorized access and manipulation of payment processing workflows.

Such unauthorized access and potential data manipulation could result in violations of data protection and security requirements mandated by standards like GDPR and HIPAA, which require safeguarding sensitive payment and personal data against unauthorized access and modification.

Therefore, this vulnerability poses a significant risk to compliance with these regulations due to the potential compromise of confidentiality, integrity, and availability of sensitive data.

Executive Summary

The goodoneuz/pay-uz Laravel package (version 2.2.24 and below) has a critical vulnerability in the /payment/api/editable/update endpoint. This endpoint is accessible without any authentication because it is exposed via Route::any() without authentication middleware. An attacker can send data to this endpoint to overwrite existing PHP payment hook files on the server.

The vulnerability arises because user-controlled input is directly written into executable PHP files using file_put_contents(). These overwritten PHP files are later executed during normal payment processing workflows using require(), which allows the attacker to execute arbitrary code remotely on the server.

The payment secret token mentioned by the vendor does not protect this endpoint or mitigate the vulnerability.

Impact Analysis

This vulnerability can have severe impacts because it allows unauthenticated remote attackers to execute arbitrary code on the affected server.

  • Complete compromise of the server hosting the Laravel application.
  • Potential theft, modification, or destruction of sensitive payment data.
  • Disruption of payment processing workflows.
  • Use of the compromised server to launch further attacks or distribute malware.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart