Description
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Published: 2026-04-16
Score: 10 Critical
EPSS: 1.1% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the goodoneuz/pay-uz Laravel package exists in the /payment/api/editable/update endpoint. The endpoint is exposed via Route::any() without authentication middleware, allowing unauthenticated HTTP requests to reach it. User-provided input is written directly as content into PHP hook files using file_put_contents(), and those files are later included with require() during normal payment processing. This directly enables an attacker to inject and execute arbitrary PHP code, resulting in remote code execution and full compromise of the application’s confidentiality, integrity and availability.

Affected Systems

All instances of the goodoneuz/pay-uz package with version 2.2.24 or earlier are affected. The vendor’s documentation indicates that the issue is present only in releases up to 2.2.24; no specific patch has been published yet for newer versions. The lack of a precise affected version list means that any deployment using the vulnerable package should be considered at risk unless the application is known to use a version newer than 2.2.24.

Risk and Exploitability

The CVSS score is 10.0, reflecting a high‑severity exploit with remote impact. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can trigger the flaw by sending an unauthenticated request to the exposed endpoint and supplying malicious PHP payload as part of the request body or query parameters. The absence of authentication or input validation creates a straightforward path to overwrite existing hook files and execute code during the payment workflow.

Generated by OpenCVE AI on April 17, 2026 at 03:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the goodoneuz/pay-uz Laravel package to a version higher than 2.2.24 where the vulnerability is fixed.
  • Restrict access to the /payment/api/editable/update endpoint by adding authentication middleware or firewall rules to ensure only authorized users can use this route.
  • If upgrading is not immediately possible, mitigate by temporarily removing or disabling the route in routes/web.php so that unauthenticated requests cannot reach the vulnerable endpoint.

Generated by OpenCVE AI on April 17, 2026 at 03:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5wg-cjgh-223j goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files
History

Fri, 17 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Payment Hook Overwrite in Pay-uz

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Goodoneuz
Goodoneuz pay-uz
Vendors & Products Goodoneuz
Goodoneuz pay-uz

Thu, 16 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
Weaknesses CWE-284
References
Metrics cvssV2_0

{'score': 10, 'vector': 'AV:N/AC:L/Au:N/C:C/I:C/A:C'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Goodoneuz Pay-uz
cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-04-16T19:30:21.203Z

Reserved: 2026-03-09T18:20:23.398Z

Link: CVE-2026-31843

cve-icon Vulnrichment

Updated: 2026-04-16T17:24:03.961Z

cve-icon NVD

Status : Deferred

Published: 2026-04-16T13:16:48.473

Modified: 2026-05-19T15:50:41.340

Link: CVE-2026-31843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T03:15:08Z

Weaknesses