Remote Code Execution Vulnerability in goodoneuz/pay-uz Laravel Package
CVE-2026-31843

10CRITICAL

Key Information:

Vendor

Goodoneuz

Status
Pay-uz
Vendor
CVE Published:
16 April 2026

What is CVE-2026-31843?

The goodoneuz/pay-uz Laravel package, specifically versions up to 2.2.24, is subject to a vulnerability that allows unauthenticated users to overwrite PHP payment hook files through the /payment/api/editable/update endpoint. This endpoint is accessible without any authentication middleware, which exposes it to remote attackers. Malicious input crafted by an attacker can be directly written into executable PHP files using the file_put_contents() function. Consequently, these files are executed via the require() function during standard payment processes, enabling the execution of arbitrary code within the application context. The recommended payment secret token from the vendor does not address the security flaw present in this endpoint.

Affected Version(s)

pay-uz <= 2.2.24

References

https://github.com/shaxzodbek-uzb/pay-uz
product
https://github.com/goodoneuz/pay-uz/blob/master/src/route...
issue-tracking
https://github.com/goodoneuz/pay-uz/blob/master/src/Http/...
issue-tracking

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.