PT-2026-33312 · Packagist · Pay-Uz

Published

2026-04-16

·

Updated

2026-06-25

·

CVE-2026-31843

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions pay-uz versions prior to 2.2.25
Description The pay-uz Laravel package contains a flaw in the '/payment/api/editable/update' endpoint. This endpoint is exposed via Route::any() without authentication middleware, allowing unauthenticated remote access. User-controlled input is written directly into executable PHP payment hook files using the file put contents() function. These files are subsequently executed via the require() function during standard payment processing, which can lead to remote code execution.
Recommendations Update to a version later than 2.2.24. As a temporary workaround, restrict access to the '/payment/api/editable/update' endpoint to minimize the risk of exploitation.

Exploit

Fix

RCE

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-31843
GHSA-M5WG-CJGH-223J

Affected Products

Pay-Uz