CRITICAL🇵🇱 Wersja polska

CVE-2026-31843

CVSS 10.0v4.0pub. 2026-04-16upd. 2026-05-19

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

🤖 AI Analysis
How it works

The /payment/api/editable/update endpoint is registered by Route::any() without applying authentication middleware, which means any remote user can access it without providing authentication credentials. User-controlled data is directly written to existing PHP files handling payments (payment hook files) using the file_put_contents() function. The modified files are subsequently loaded by require() during standard payment transaction processing, which leads to execution of PHP code supplied by the attacker. The vendor points to the payment secret token as a security measure, however it is not associated with this endpoint and does not constitute any mitigation.

Impact

An attacker without any authentication can overwrite PHP files of the application with their own code and cause remote code execution (RCE) in the context of the application server, thereby gaining full control over the system and potentially over payment transaction processing.

Mitigation & patch

Apply patches available from the vendor according to the references. Until an update is performed, it is recommended to block access to the /payment/api/editable/update endpoint at the firewall or web server level and verify the integrity of PHP files handling payments.

Who is affected

The goodoneuz/pay-uz package for the Laravel framework in versions up to and including 2.2.24

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References