CVE-2026-31843

Critical

Published: 16 April 2026

Published

16 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0106 77.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled…

input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces authentication and authorization on the exposed /payment/api/editable/update endpoint to block unauthenticated attackers from overwriting PHP files.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes user-controlled input to the endpoint before using file_put_contents() to write PHP payment hook files, preventing injection of malicious code.

SI-7 Software, Firmware, and Information Integrity good match

detect

Monitors integrity of PHP payment hook files to detect unauthorized modifications from the vulnerable endpoint, enabling identification of tampering before require() execution.

Security SummaryAI

CVE-2026-31843 is a critical vulnerability (CVSS 9.8) in the goodoneuz/pay-uz Laravel package for versions up to and including 2.2.24. It stems from improper access control (CWE-284) in the /payment/api/editable/update endpoint, which is publicly exposed via Route::any() without authentication middleware. User-controlled input sent to this endpoint is directly written into executable PHP payment hook files using file_put_contents(), enabling attackers to modify server-side scripts.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the exposed endpoint, overwriting legitimate PHP files with arbitrary code. During standard payment processing workflows, these tampered files are executed via require(), leading to remote code execution (RCE) on the affected server with the privileges of the web application.

The vulnerability is evident in the package's source code, as shown in the GitHub repositories for ApiController.php and web.php routes, as well as a community fork. The package is distributed via Packagist. The vendor's payment secret token provides no mitigation for this endpoint, and practitioners should monitor for versions beyond 2.2.24 that address the issue.

Details

CWE(s): CWE-284

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing web endpoint in a Laravel package to write arbitrary PHP code to executable files, enabling remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://github.com/shaxzodbek-uzb/pay-uz
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c
https://packagist.org/packages/goodoneuz/pay-uz
309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c