Critical severity9.8GHSA Advisory· Published Apr 16, 2026· Updated Apr 17, 2026

CVE-2026-31843

Description

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
goodoneuz/pay-uzPackagist	<= 2.2.24	—

Affected products

Shaxzodbek Uzb/Pay UzGHSA
Range: <= 2.2.24

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-m5wg-cjgh-223jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-31843ghsaADVISORY
github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.phpnvdWEB
github.com/goodoneuz/pay-uz/blob/master/src/routes/web.phpnvdWEB
packagist.org/packages/goodoneuz/pay-uznvdWEB

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000