Platform
laravel
Component
laravel
Fixed in
2.2.25
2.2.25
CVE-2026-31843 affects versions up to 2.2.24 of the goodoneuz/pay-uz Laravel package. This vulnerability allows unauthenticated attackers to remotely execute code by overwriting PHP payment hook files. The exposed /payment/api/editable/update endpoint lacks authentication, enabling attackers to directly modify files that are subsequently executed during payment processing. A patch is available.
The vulnerability lies in the /payment/api/editable/update endpoint, which is accessible without authentication. An attacker can craft a malicious request to overwrite existing PHP payment hook files. These files are then executed via require() during the normal payment processing workflow, effectively granting the attacker remote code execution (RCE) on the server. This allows for complete compromise of the application and potentially the underlying server, including data exfiltration, malware deployment, and further lateral movement. The impact is severe due to the ease of exploitation and the potential for widespread damage.
This vulnerability was publicly disclosed on 2026-04-16. No known active exploitation campaigns have been reported at the time of writing. The ease of exploitation and the critical CVSS score suggest a high probability of exploitation if left unpatched. No KEV listing is currently available.
Exploit Status
EPSS
1.05% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to a patched version of the goodoneuz/pay-uz Laravel package. Check the package's repository for the latest version. If upgrading immediately is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the /payment/api/editable/update endpoint using a web application firewall (WAF) or proxy rules. Implement strict input validation on all user-supplied data to prevent malicious code from being injected. After upgrading, verify the fix by attempting to access the /payment/api/editable/update endpoint with a crafted payload and confirming that it is rejected.
Update the pay-uz package to a version greater than 2.2.24 to mitigate the vulnerability. This update addresses the lack of authentication in the /payment/api/editable/update endpoint, preventing unauthorized file overwrites.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31843 is a critical remote code execution vulnerability in the goodoneuz/pay-uz Laravel package (versions <= 2.2.24) allowing attackers to overwrite PHP files and execute arbitrary code.
You are affected if you are using the goodoneuz/pay-uz Laravel package version 2.2.24 or earlier. Check your package version and upgrade immediately if vulnerable.
Upgrade to the latest version of the goodoneuz/pay-uz Laravel package. If immediate upgrade is not possible, implement temporary WAF rules to restrict access to the vulnerable endpoint.
No active exploitation campaigns have been confirmed at this time, but the high CVSS score and ease of exploitation suggest a high probability of future exploitation.
Refer to the goodoneuz/pay-uz package repository and Laravel's security advisories for the latest information and updates regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.