Description
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Published: 2026-04-16
Score: 10 Critical
EPSS: 1.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The goodoneuz/pay-uz Laravel package (versions 2.2.24 and earlier) contains a critical flaw in its /payment/api/editable/update endpoint. The endpoint is registered with Route::any() without any authentication or authorization middleware, enabling unauthenticated HTTP requests. User‑controlled input is written directly into PHP hook files via file_put_contents, and these files are later included with require() during normal payment processing. Consequently, an attacker can inject arbitrary PHP code, leading to full remote code execution and compromising the confidentiality, integrity, and availability of the host application.

Affected Systems

All installations that rely on the goodoneuz/pay-uz package at version 2.2.24 or earlier are affected. The CVE references point to the package source files that implement the vulnerable endpoint, and no other versions are listed. If a deployment uses a newer version of the package, further review is required to confirm whether the flaw persists.

Risk and Exploitability

The CVSS score of 10.0 reflects remote code execution with no authentication. An EPSS score of 2% indicates a low‑but‑nonzero chance of exploitation. The flaw is not currently listed in the CISA KEV catalog. Attackers can trigger the vulnerability by sending an unauthenticated request to the exposed endpoint with a malicious PHP payload; the lack of authentication and input validation creates a straightforward exploit path. The likely attack vector is remote HTTP requests to the endpoint, inferred from the Route::any() usage without middleware.

Generated by OpenCVE AI on June 18, 2026 at 13:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply authentication middleware or access controls to the /payment/api/editable/update route to restrict access to authorized users.
  • Temporarily remove or comment out the vulnerable route definition in routes/web.php if the functionality is not required.
  • Check the vendor’s repository or website for any new releases that address the flaw and update the package when a fix becomes available.

Generated by OpenCVE AI on June 18, 2026 at 13:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5wg-cjgh-223j goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Laravel Payment Hook Overwrite Allows Unauthenticated Remote Code Execution

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Title Laravel Payment Hook Overwrite Allows Unauthenticated Remote Code Execution

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Payment Hook Overwrite in Pay-uz

Fri, 17 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Payment Hook Overwrite in Pay-uz

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Goodoneuz
Goodoneuz pay-uz
Vendors & Products Goodoneuz
Goodoneuz pay-uz

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Weaknesses CWE-284
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


Subscriptions

Goodoneuz Pay-uz
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-04-16T19:30:21.203Z

Reserved: 2026-03-09T18:20:23.398Z

Link: CVE-2026-31843

cve-icon Vulnrichment

Updated: 2026-04-16T17:24:03.961Z

cve-icon NVD

Status : Deferred

Published: 2026-04-16T13:16:48.473

Modified: 2026-06-17T10:34:33.817

Link: CVE-2026-31843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses