CVE-2026-31843

CRITICAL EPSS 77.6%
Published Apr 16, 20262mo ago · Modified Jun 17, 20261w ago
10.0 CVSS 4.0
Critical
Find Similar
Published Apr 16, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

CVSS Details

Base Score
10.0
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
77.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-284

References 4

  • github.com https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php
  • github.com https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php
  • github.com https://github.com/shaxzodbek-uzb/pay-uz
  • packagist.org https://packagist.org/packages/goodoneuz/pay-uz

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.