CVE-2026-31843
Published: 16 April 2026
Summary
CVE-2026-31843 is a critical-severity Improper Access Control (CWE-284) vulnerability in Packagist (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The goodoneuz/pay-uz Laravel package up to version 2.2.24 contains an unauthenticated remote code execution vulnerability in the /payment/api/editable/update endpoint. The flaw stems from a Route::any() definition that lacks authentication middleware, combined with direct use of user-controlled input in file_put_contents() calls that overwrite PHP payment hook files; these files are subsequently loaded via require() during normal payment processing.
Unauthenticated attackers reachable over the network can send crafted requests to the endpoint to replace hook files with arbitrary PHP code. Successful exploitation grants full remote code execution in the context of the web application, as the payment secret token referenced by the vendor does not protect this route.
The EPSS score rose from a low of 0.0046 to a peak of 0.0114 after disclosure, indicating emerging exploitation interest that warrants renewed attention. Source references point to the vulnerable ApiController.php and web.php route definitions in the package repository and its Packagist listing, but no vendor advisory or patch information is provided.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23225
Vulnerability details
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled…
more
input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated attackers to exploit a public-facing web endpoint in a Laravel package to write arbitrary PHP code to executable files, enabling remote code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization on the /payment/api/editable/update endpoint, blocking the unauthenticated Route::any() exposure that allows arbitrary file overwrites.
Requires validation and sanitization of all user-supplied input before it reaches file_put_contents(), preventing injection of malicious PHP into hook files that are later executed via require().
Detects unauthorized modifications to PHP payment hook files written by the vulnerable endpoint, enabling integrity checks before they are loaded during payment processing.