← Kembali ke database
CVE-2026-31843 Kritis PoC Tersedia

Pay-Uz Unauthenticated File Write → RCE

Unauthenticated editable API overwrites payment hook PHP files executed via webhook handlers.

Versi Terdampak
goodoneuz/pay-uz < 4.0.0
Ditemukan
January 15, 2026
Default middleware exposes `/payment/api/editable/update` without authentication. Poisoned `after_pay.php` is loaded via `require()` when `/handle/{paysys}` routes are registered. Chain: write → webhook trigger → code execution.

Proof of Concept

terminal — bash 
curl -sk https://TARGET/payment/api/editable/update?file_name=after_pay