Critical RCE in Laravel Payment Package

/CRITICAL
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-284
Critical RCE in Laravel Payment Package

A critical vulnerability, tracked as CVE-2026-31843, has been identified in the goodoneuz/pay-uz Laravel package, affecting versions up to and including 2.2.24. According to the National Vulnerability Database, this flaw resides in the /payment/api/editable/update endpoint, allowing unauthenticated attackers to overwrite existing PHP payment hook files. This is a big deal, folks.

The endpoint is exposed without any authentication middleware, a rookie mistake that enables remote access without credentials. Attackers can leverage user-controlled input, which is directly written into executable PHP files via file_put_contents(). These malicious files are then executed by require() during standard payment processing workflows, leading directly to remote code execution (RCE) under default application behavior. The National Vulnerability Database noted that the vendor’s mention of a payment secret token is irrelevant to this specific endpoint and offers no mitigation against this critical RCE.

With a CVSS score of 9.8 (CRITICAL), this vulnerability is as bad as it gets. It’s a classic case of improper access control and unchecked input leading to arbitrary code execution, a red flag for any web application security professional. The CWE-284 classification, indicating ‘Improper Access Control’, perfectly encapsulates the core issue here.

What This Means For You

  • If your organization uses the `goodoneuz/pay-uz` Laravel package, you need to immediately verify your version. If it's 2.2.24 or older, you are exposed to unauthenticated remote code execution. Patch or remove this package without delay and audit your payment processing logs for any suspicious activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Component: Web Shell Persistence T1059.004 Command and Scripting Interpreter: PHP Execution

🛡️ Detection Rules

7 rules · 6 SIEM formats

7 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-31843

Sigma YAML — free preview
✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

7 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-31843 RCE goodoneuz/pay-uz Laravel package <= 2.2.24
CVE-2026-31843 RCE Vulnerable endpoint: /payment/api/editable/update
CVE-2026-31843 Code Injection Function: file_put_contents() writing user input to PHP files
CVE-2026-31843 Auth Bypass Endpoint exposed via Route::any() without authentication middleware

By Shimi's Cyber World Editorial

Related Posts

Zoho ManageEngine Log360 Hit by Auth Bypass

CVE-2026-3324 — Zohocorp ManageEngine Log360 versions 13000 through 13013 are vulnerable to authentication bypass on certain actions due to improper filter configuration.

vulnerabilityCVEhigh-severityauthentication-bypasscwe-288
/HIGH /⚑ 2 IOCs

Fastify Middie Bypass: Double Slashes, Double Trouble

CVE-2026-33804 — @fastify/middie versions 9.3.1 and earlier are vulnerable to middleware bypass when the deprecated Fastify ignoreDuplicateSlashes option is enabled. The middleware path matching logic...

vulnerabilityCVEhigh-severitycwe-436
/HIGH /⚑ 3 IOCs

CVE-2026-2840 — Cross-Site Scripting (XSS)

CVE-2026-2840 — The Email Encoder – Protect Email Addresses and Phone Numbers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'eeb_mailto' shortcode...

vulnerabilityCVEcross-site-scripting-xss-cwe-79
/MEDIUM /⚑ 2 IOCs