CVE-2026-31843

Name of the Vulnerable Software and Affected Versions pay-uz versions prior to 2.2.25

Description The pay-uz Laravel package contains a flaw in the '/payment/api/editable/update' endpoint. This endpoint is exposed via Route::any() without authentication middleware, allowing unauthenticated remote access. User-controlled input is written directly into executable PHP payment hook files using the file put contents() function. These files are subsequently executed via the require() function during standard payment processing, which can lead to remote code execution.

Recommendations Update to a version later than 2.2.24. As a temporary workaround, restrict access to the '/payment/api/editable/update' endpoint to minimize the risk of exploitation.