PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31843 goodoneuz CVE debrief

The goodoneuz/pay-uz Laravel package (versions 2.2.24 and earlier) contains a critical unauthenticated remote code execution vulnerability in the /payment/api/editable/update endpoint. The endpoint is registered via Route::any() without authentication middleware, allowing unauthenticated remote access. User-controlled input is written directly to executable PHP files using file_put_contents(), and these files are subsequently executed via require() during normal payment processing workflows. The vendor's payment secret token does not protect this endpoint. This vulnerability was published on April 16, 2026 and last modified on May 19, 2026.

Vendor
goodoneuz
Product
pay-uz
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-16
Original CVE updated
2026-05-19
Advisory published
2026-04-16
Advisory updated
2026-05-19

Who should care

Organizations using the goodoneuz/pay-uz Laravel package for payment processing, particularly those running version 2.2.24 or earlier. Security teams responsible for PHP/Laravel application security, payment system administrators, and developers maintaining e-commerce or payment-integrated applications.

Technical summary

The vulnerability exists in the /payment/api/editable/update endpoint of the goodoneuz/pay-uz Laravel package. The endpoint is exposed through Route::any() without authentication middleware, allowing unauthenticated attackers to send requests. The endpoint accepts user-controlled input that is written directly to PHP files using file_put_contents(). These PHP files are located in directories that are later included via require() during normal payment processing operations. This creates a direct path from unauthenticated user input to arbitrary PHP code execution. The vendor's payment secret token mechanism is unrelated to this endpoint and provides no protection against exploitation.

Defensive priority

CRITICAL

Recommended defensive actions

  • Immediately upgrade goodoneuz/pay-uz package to a version newer than 2.2.24 if available
  • If no patch is available, remove or disable the /payment/api/editable/update route in src/routes/web.php
  • Implement authentication middleware on all payment API endpoints
  • Review and audit existing PHP files in payment hook directories for unauthorized modifications
  • Monitor for unexpected file changes in payment hook directories
  • Consider web application firewall rules to block unauthenticated access to /payment/api/editable/update
  • Review application logs for unauthorized access attempts to the vulnerable endpoint

Evidence notes

Vulnerability affects goodoneuz/pay-uz package <= 2.2.24. Endpoint exposed via Route::any() without authentication. User input written to PHP files via file_put_contents() and executed via require(). Vendor payment secret token does not mitigate. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. CWE-284 (Improper Access Control) identified.

Official resources

Published: 2026-04-16 | Modified: 2026-05-19