Cyber Resilience

CVE-2026-31843

Critical

Published: 16 April 2026

Published
16 April 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0194 77.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-31843 is a critical-severity Improper Access Control (CWE-284) vulnerability in Packagist (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The goodoneuz/pay-uz Laravel package up to version 2.2.24 contains an unauthenticated remote code execution vulnerability in the /payment/api/editable/update endpoint. The flaw stems from a Route::any() definition that lacks authentication middleware, combined with direct use of user-controlled input in file_put_contents() calls that overwrite PHP payment hook files; these files are subsequently loaded via require() during normal payment processing.

Unauthenticated attackers reachable over the network can send crafted requests to the endpoint to replace hook files with arbitrary PHP code. Successful exploitation grants full remote code execution in the context of the web application, as the payment secret token referenced by the vendor does not protect this route.

The EPSS score rose from a low of 0.0046 to a peak of 0.0114 after disclosure, indicating emerging exploitation interest that warrants renewed attention. Source references point to the vulnerable ApiController.php and web.php route definitions in the package repository and its Packagist listing, but no vendor advisory or patch information is provided.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled…

more

input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows unauthenticated attackers to exploit a public-facing web endpoint in a Laravel package to write arbitrary PHP code to executable files, enabling remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

Packagist
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization on the /payment/api/editable/update endpoint, blocking the unauthenticated Route::any() exposure that allows arbitrary file overwrites.

prevent

Requires validation and sanitization of all user-supplied input before it reaches file_put_contents(), preventing injection of malicious PHP into hook files that are later executed via require().

detect

Detects unauthorized modifications to PHP payment hook files written by the vulnerable endpoint, enabling integrity checks before they are loaded during payment processing.

References