<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>CVE-2026-31843 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-31843/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-31843/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Remote Code Execution in goodoneuz/pay-uz Laravel Package</title><link>https://feed.craftedsignal.io/briefs/2024-01-laravel-rce/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-laravel-rce/</guid><description>A critical unauthenticated remote code execution vulnerability exists in the goodoneuz/pay-uz Laravel package (&lt;= 2.2.24) due to direct user-controlled input being written to executable PHP files via the /payment/api/editable/update endpoint.</description><content:encoded><![CDATA[<p>The goodoneuz/pay-uz Laravel package, specifically versions 2.2.24 and earlier, is vulnerable to unauthenticated remote code execution (RCE). The vulnerability, identified as CVE-2026-31843, resides in the <code>/payment/api/editable/update</code> endpoint. This endpoint is insecurely exposed via <code>Route::any()</code> without requiring any form of authentication. This allows any remote attacker to directly write arbitrary, user-supplied input into existing PHP files. Because these files are payment hooks executed via <code>require()</code> during standard payment processing, attackers can inject and execute arbitrary code on the server. This RCE vulnerability poses a severe risk to applications utilizing the vulnerable package, potentially leading to full system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker sends a crafted HTTP POST request to the <code>/payment/api/editable/update</code> endpoint.</li>
<li>The request contains malicious PHP code within the POST parameters, designed for remote code execution.</li>
<li>The vulnerable endpoint uses <code>file_put_contents()</code> to write the attacker-supplied PHP code directly into an existing PHP file, overwriting its original content.</li>
<li>The overwritten PHP file is located within the payment processing directory.</li>
<li>During normal payment processing, the application uses <code>require()</code> to include and execute the modified PHP file.</li>
<li>The attacker's malicious PHP code is executed on the server with the permissions of the web server user.</li>
<li>The attacker gains control of the server, enabling activities like installing web shells.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-31843 allows unauthenticated attackers to achieve remote code execution on the affected server. This could lead to complete compromise of the system, potentially affecting sensitive data such as customer payment information, API keys, and other confidential data stored within the Laravel application. The impact is particularly severe for e-commerce platforms and any application processing financial transactions using the vulnerable package.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>goodoneuz/pay-uz</code> Laravel package to a patched version greater than 2.2.24 to remediate CVE-2026-31843.</li>
<li>Monitor web server logs for suspicious POST requests to the <code>/payment/api/editable/update</code> endpoint as described in the attack chain.</li>
<li>Deploy the Sigma rule <code>Detect Pay-UZ Laravel RCE Attempt</code> to identify exploitation attempts via HTTP requests to the vulnerable endpoint.</li>
<li>Enable web server logging to capture HTTP POST request data for effective detection and investigation.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>CVE-2026-31843</category><category>RCE</category><category>Laravel</category><category>webserver</category></item></channel></rss>