CRITICAL
goodoneuz
CVE published 2026-04-16
CVE-2026-31843
The goodoneuz/pay-uz Laravel package (versions 2.2.24 and earlier) contains a critical unauthenticated remote code execution vulnerability in the /payment/api/editable/update endpoint. The endpoint is registered via Route::any() without authentication middleware, allowing unauthenticated remote access. User-controlled input is written directly to executable PHP files using file_put_contents(), and these f [truncated]