{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31843", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "state": "PUBLISHED", "assignerShortName": "TuranSec", "dateReserved": "2026-03-09T18:20:23.398Z", "datePublished": "2026-04-16T13:02:55.701Z", "dateUpdated": "2026-04-16T19:30:21.203Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-04-16T13:07:39.550Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control leading to unauthorized modification of executable application files", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "An unauthenticated attacker can modify executable PHP payment hook files, resulting in injection of malicious PHP code. When these modified files are executed during payment processing via require(), this leads to remote code execution with web server privileges and full application compromise."}]}], "affected": [{"vendor": "goodoneuz", "product": "pay-uz", "collectionURL": "https://packagist.org/packages/goodoneuz/pay-uz", "packageName": "goodoneuz/pay-uz", "repo": "https://github.com/shaxzodbek-uzb/pay-uz/", "versions": [{"status": "affected", "version": "<= 2.2.24"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The goodoneuz/pay-uz Laravel package (&lt;= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.</p>"}]}], "references": [{"url": "https://github.com/shaxzodbek-uzb/pay-uz", "tags": ["product"]}, {"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php", "tags": ["issue-tracking"]}, {"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php", "tags": ["issue-tracking"]}, {"url": "https://packagist.org/packages/goodoneuz/pay-uz", "tags": ["product"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV2_0": {"version": "2.0", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T17:23:59.905688Z", "id": "CVE-2026-31843", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T19:30:21.203Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31843", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T17:23:59.905688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T17:24:03.961Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "impacts": [{"descriptions": [{"lang": "en", "value": "An unauthenticated attacker can modify executable PHP payment hook files, resulting in injection of malicious PHP code. When these modified files are executed during payment processing via require(), this leads to remote code execution with web server privileges and full application compromise."}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV2_0": {"version": "2.0", "baseScore": 10, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/shaxzodbek-uzb/pay-uz/", "vendor": "goodoneuz", "product": "pay-uz", "versions": [{"status": "affected", "version": "<= 2.2.24"}], "packageName": "goodoneuz/pay-uz", "collectionURL": "https://packagist.org/packages/goodoneuz/pay-uz", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/shaxzodbek-uzb/pay-uz", "tags": ["product"]}, {"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php", "tags": ["issue-tracking"]}, {"url": "https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php", "tags": ["issue-tracking"]}, {"url": "https://packagist.org/packages/goodoneuz/pay-uz", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<p>The goodoneuz/pay-uz Laravel package (&lt;= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control leading to unauthorized modification of executable application files"}]}], "providerMetadata": {"orgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "shortName": "TuranSec", "dateUpdated": "2026-04-16T13:07:39.550Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31843", "state": "PUBLISHED", "dateUpdated": "2026-04-16T19:30:21.203Z", "dateReserved": "2026-03-09T18:20:23.398Z", "assignerOrgId": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "datePublished": "2026-04-16T13:02:55.701Z", "assignerShortName": "TuranSec"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any() without authentication middleware, enabling remote access without credentials. User-controlled input is directly written into executable PHP files using file_put_contents(). These files are later executed via require() during normal payment processing workflows, resulting in remote code execution under default application behavior. The payment secret token mentioned by the vendor is unrelated to this endpoint and does not mitigate the vulnerability."}], "id": "CVE-2026-31843", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}, "published": "2026-04-16T13:16:48.473", "references": [{"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/goodoneuz/pay-uz/blob/master/src/Http/Controllers/ApiController.php"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/goodoneuz/pay-uz/blob/master/src/routes/web.php"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://github.com/shaxzodbek-uzb/pay-uz"}, {"source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "url": "https://packagist.org/packages/goodoneuz/pay-uz"}], "sourceIdentifier": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.24]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "pay-uz", "source": "cna", "vendor": "goodoneuz"}, "product": "pay-uz", "vendor": "goodoneuz"}], "analysis": {"en": {"generated_at": "2026-04-17T03:05:40.248999+00:00", "value": {"mitigation_remediation": ["Upgrade the goodoneuz/pay-uz Laravel package to a version higher than 2.2.24 where the vulnerability is fixed.", "Restrict access to the /payment/api/editable/update endpoint by adding authentication middleware or firewall rules to ensure only authorized users can use this route.", "If upgrading is not immediately possible, mitigate by temporarily removing or disabling the route in routes/web.php so that unauthenticated requests cannot reach the vulnerable endpoint."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All instances of the goodoneuz/pay-uz package with version 2.2.24 or earlier are affected. The vendor\u2019s documentation indicates that the issue is present only in releases up to 2.2.24; no specific patch has been published yet for newer versions. The lack of a precise affected version list means that any deployment using the vulnerable package should be considered at risk unless the application is known to use a version newer than 2.2.24.", "description_and_impact": "The vulnerability in the goodoneuz/pay-uz Laravel package exists in the /payment/api/editable/update endpoint. The endpoint is exposed via Route::any() without authentication middleware, allowing unauthenticated HTTP requests to reach it. User-provided input is written directly as content into PHP hook files using file_put_contents(), and those files are later included with require() during normal payment processing. This directly enables an attacker to inject and execute arbitrary PHP code, resulting in remote code execution and full compromise of the application\u2019s confidentiality, integrity and availability.", "risk_and_exploitability": "The CVSS score is 10.0, reflecting a high\u2011severity exploit with remote impact. EPSS data is unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can trigger the flaw by sending an unauthenticated request to the exposed endpoint and supplying malicious PHP payload as part of the request body or query parameters. The absence of authentication or input validation creates a straightforward path to overwrite existing hook files and execute code during the payment workflow."}}}}, "created": "2026-04-16T18:58:33.749660+00:00", "title": "Unauthenticated Remote Code Execution via Payment Hook Overwrite in Pay-uz", "updated": "2026-04-17T03:15:08.534650+00:00", "vendors": ["goodoneuz", "goodoneuz$PRODUCT$pay-uz"]}