External risk intelligence

Laravel payment package lets attackers run malicious code on your server.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-31843

The goodoneuz/pay-uz Laravel package has a critical flaw allowing anyone to run malicious code on your server, potentially compromising your entire system. This issue is especially concerning for payment processing systems.

5Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-31843

The vulnerable endpoint is part of a payment processing package designed to receive external callbacks. Since payment endpoints must be publicly accessible to process incoming transactions from providers, the vulnerable interface is exposed to the internet by design in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the goodoneuz/pay-uz Laravel package allows unauthenticated attackers to execute arbitrary code on your server. The issue lies in an unprotected API endpoint that writes user-controlled data into executable PHP files, which are later run by the application. This could allow an attacker to take full control of your server.

  • Reaches servers from the internet.
  • Grants attackers server-wide control.
  • Affects payment processing systems.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending a crafted request to a vulnerable API endpoint. This request would overwrite existing payment hook files with malicious PHP code. The application then executes this code during normal payment processing, leading to remote code execution.

  • Target is the API endpoint.
  • No authentication is required.
  • Input is directly written to executable files.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability is a critical remote code execution flaw in a payment package, making it highly attractive to attackers. The direct file overwrite with user-controlled input leading to RCE is a classic and effective attack pattern, and the vendor's acknowledgment that a mentioned secret token is irrelevant further confirms the exposure.

  • Unauthenticated RCE
  • Publicly accessible endpoint
  • Payment processing context

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any services using the goodoneuz/pay-uz Laravel package version 2.2.24 or earlier. This vulnerability is critical, allows unauthenticated remote code execution, and is exposed via network. Immediate containment is necessary to prevent compromise.

  • Block network access to the affected endpoint.
  • Monitor for suspicious file write activity.
  • Update package to a version that addresses the vulnerability.

Frequently asked questions

What is the primary function of the goodoneuz/pay-uz Laravel package affected by CVE-2026-31843?

The goodoneuz/pay-uz Laravel package is designed to handle payment processing within a Laravel application, facilitating interactions related to payment transactions.

How does the critical vulnerability (CWE-284) in CVE-2026-31843 enable remote code execution?

The vulnerability allows unauthenticated attackers to overwrite existing PHP payment hook files via the /payment/api/editable/update endpoint. User-controlled input is written directly into executable PHP files, which are then executed by the application during normal payment processing, leading to remote code execution.

What is the attack vector and scope of CVE-2026-31843, and how does it bypass security?

The attack vector is the network (AV:N), and the attack complexity is low (AC:L). Attackers can exploit this remotely without any privileges (PR:N) or user interaction (UI:N). The vulnerability is present in an API endpoint exposed via Route::any() without authentication middleware, directly writing user input to executable files.

Given its characteristics, how likely is it that CVE-2026-31843 will be exploited in the wild, and what makes it a significant threat?

This vulnerability is rated as 'Very likely' to be exploited. The vulnerable endpoint is part of a payment processing package, which by necessity must be publicly accessible to handle external callbacks. This inherent exposure, combined with the unauthenticated remote code execution flaw, makes it a prime target for attackers.

What immediate steps should be taken to mitigate the risk associated with CVE-2026-31843?

The most critical immediate action is to isolate or take offline any services using the affected versions of the goodoneuz/pay-uz Laravel package. Network access to the vulnerable endpoint should be blocked, and any suspicious file write activity should be monitored. Updating the package to a version that addresses this vulnerability is also essential.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified