CVE-2026-31843 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 17, 2026
goodoneuz/pay-uz Laravel - Remote Code Execution
Overview
goodoneuz/pay-uz Laravel package <= 2.2.24 contains a remote code execution caused by unauthenticated access to /payment/api/editable/update endpoint that allows overwriting PHP payment hook files, letting remote attackers execute arbitrary code, exploit requires no authentication.
Severity & Score
Impact
Remote attackers can execute arbitrary PHP code, leading to full system compromise.
Mitigation
Update to a version later than 2.2.24 or apply vendor patches to secure the /payment/api/editable/update endpoint.
References
Social Media Activity(2 posts)
⚠️ CVE-2026-31843: CRITICAL improper access control in goodoneuz/pay-uz <=2.2.24 allows unauthenticated PHP file overwrite & RCE via /payment/api/editable/update. No patch yet — restrict endpoint access! https://radar.offseq.com/threat/cve-2026-31843-cwe-284-improper-access-control-lea-f84d8bc9 #OffSeq #CVE202631843 #Laravel #RCE
View original post
🔴 CVE-2026-31843 - Critical (9.8) The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Rout... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31843/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-31843
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- remote_code_execution
- Status
- unconfirmed
- EPSS
- 88.6%
- Social Posts
- 2
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H