Pay-Uz Laravel package unauthenticated RCE (CVE-2026-31843)
CVE-2026-31843
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment ...
Overview
A critical vulnerability in the goodoneuz/pay-uz Laravel payment package allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw, tracked as CVE-2026-31843, has a maximum severity CVSS score of 9.8. It affects versions 2.2.24 and earlier.
Vulnerability Details
The vulnerability exists in the /payment/api/editable/update endpoint. This endpoint is incorrectly configured to accept requests from any network source without requiring authentication. Furthermore, it directly writes user-supplied input into executable PHP files on the server’s filesystem using the file_put_contents() function. These files are payment hooks that are later loaded and executed via require() during normal payment processing, turning a file write into full remote code execution.
Impact
An attacker can exploit this vulnerability to gain complete control over the web server hosting the vulnerable Pay-Uz package. This allows them to steal sensitive data (like payment information and database credentials), install backdoors, deface websites, or use the server to launch further attacks. The attack requires no user interaction and no prior authentication, making it trivial to exploit.
Affected Versions
All versions of the goodoneuz/pay-uz Laravel package up to and including 2.2.24 are vulnerable.
Remediation
The only complete remediation is to update the package to version 2.2.25 or higher. The vendor has patched the vulnerability by implementing proper authentication and input validation on the affected endpoint.
Action Required:
- Update Immediately: Run
composer update goodoneuz/pay-uzin your Laravel project to upgrade to version 2.2.25+. - Verify: Confirm the installed version in your
composer.lockfile is 2.2.25 or newer. - No Workaround: The vendor’s suggested “payment secret token” does not protect the vulnerable endpoint. Updating is the only effective action.
If you cannot update immediately, you should consider taking the affected system offline, as there is no reliable mitigation. For more information on recent threats, you can follow updates in our security news section.
Security Insight
This vulnerability is a stark example of the risks in third-party payment integrations, where a single flawed component can compromise an entire application stack. The pattern of an unauthenticated Route::any() endpoint leading directly to file_put_contents() is a severe development oversight, reminiscent of past vulnerabilities in other Laravel packages. It underscores the necessity for rigorous security reviews of open-source dependencies, especially those handling financial transactions. For context on how such vulnerabilities can lead to data exposure, see our archive of breach reports.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allow...
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth...
Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0....
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their...