Pay-uz Laravel Package Exposes Payment Files to Unauthenticated Attacks

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

10.0

Pay-uz Laravel Package Exposes Payment Files to Unauthenticated Attacks

CVE-2026-31843 GHSA-m5wg-cjgh-223j

Summary

The pay-uz Laravel package has a security flaw that lets hackers change important payment files without a password. This could allow attackers to take control of your website's payment system. Update the package to the latest version to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Ecosystem	Vendor	Product	Affected versions
composer	goodoneuz	pay-uz	<= 2.2.24

Original title

goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files

Original description

The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.

nvd CVSS2.0 10.0

nvd CVSS3.1 9.8

nvd CVSS4.0 10.0

Vulnerability type

CWE-284 Improper Access Control

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026