Unauthenticated Remote Code Execution in goodoneuz/pay-uz Laravel Package
A critical unauthenticated remote code execution vulnerability exists in the goodoneuz/pay-uz Laravel package (<= 2.2.24) due to direct user-controlled input being written to executable PHP files via the /payment/api/editable/update endpoint.
The goodoneuz/pay-uz Laravel package, specifically versions 2.2.24 and earlier, is vulnerable to unauthenticated remote code execution (RCE). The vulnerability, identified as CVE-2026-31843, resides in the /payment/api/editable/update endpoint. This endpoint is insecurely exposed via Route::any() without requiring any form of authentication. This allows any remote attacker to directly write arbitrary, user-supplied input into existing PHP files. Because these files are payment hooks executed via require() during standard payment processing, attackers can inject and execute arbitrary code on the server. This RCE vulnerability poses a severe risk to applications utilizing the vulnerable package, potentially leading to full system compromise.
Attack Chain
- The attacker sends a crafted HTTP POST request to the
/payment/api/editable/updateendpoint. - The request contains malicious PHP code within the POST parameters, designed for remote code execution.
- The vulnerable endpoint uses
file_put_contents()to write the attacker-supplied PHP code directly into an existing PHP file, overwriting its original content. - The overwritten PHP file is located within the payment processing directory.
- During normal payment processing, the application uses
require()to include and execute the modified PHP file. - The attacker's malicious PHP code is executed on the server with the permissions of the web server user.
- The attacker gains control of the server, enabling activities like installing web shells.
Impact
Successful exploitation of CVE-2026-31843 allows unauthenticated attackers to achieve remote code execution on the affected server. This could lead to complete compromise of the system, potentially affecting sensitive data such as customer payment information, API keys, and other confidential data stored within the Laravel application. The impact is particularly severe for e-commerce platforms and any application processing financial transactions using the vulnerable package.
Recommendation
- Upgrade the
goodoneuz/pay-uzLaravel package to a patched version greater than 2.2.24 to remediate CVE-2026-31843. - Monitor web server logs for suspicious POST requests to the
/payment/api/editable/updateendpoint as described in the attack chain. - Deploy the Sigma rule
Detect Pay-UZ Laravel RCE Attemptto identify exploitation attempts via HTTP requests to the vulnerable endpoint. - Enable web server logging to capture HTTP POST request data for effective detection and investigation.
Detection coverage 2
Detect Pay-UZ Laravel RCE Attempt
criticalDetects attempts to exploit the RCE vulnerability (CVE-2026-31843) in the goodoneuz/pay-uz Laravel package by monitoring HTTP POST requests to the /payment/api/editable/update endpoint.
Detect Suspicious File Modification in Laravel Payment Directory
highDetects suspicious file modifications within the Laravel payment directory, which could indicate exploitation of the RCE vulnerability.
Detection queries are available on the platform. Get full rules →