Skip to main content

SourceCodester Loan Management System CVE-2026-30521

| EUVDEUVD-2026-17583 MEDIUM
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-03-31 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
PoC Detected
Apr 02, 2026 - 15:16 vuln.today
Public exploit code
EUVD ID Assigned
Mar 31, 2026 - 19:01 euvd
EUVD-2026-17583
Analysis Generated
Mar 31, 2026 - 19:01 vuln.today
CVE Published
Mar 31, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.

AnalysisAI

SourceCodester Loan Management System v1.0 allows authenticated administrators to create loan plans with negative interest rates by submitting negative values in HTTP POST requests, bypassing client-side validation that lacks server-side enforcement. This business logic vulnerability enables attackers with administrative credentials to manipulate loan terms and potentially cause financial harm to the organization. Publicly available exploit code exists demonstrating the attack.

Technical ContextAI

The vulnerability stems from a classic client-server validation gap in web application architecture. The application implements interest rate constraints exclusively on the frontend (HTML/JavaScript form validation), which prevents users from entering negative numbers through the normal user interface. However, the backend API endpoint that processes loan plan creation (HTTP POST handler) performs no server-side validation of the interest_percentage parameter. An attacker with administrative authentication can use browser developer tools, curl, or other HTTP clients to craft a POST request with a JSON or form-encoded payload containing a negative value for interest_percentage, which the server accepts and persists to the database without validation. This bypasses the frontend security control entirely, representing a fundamental failure to implement defense-in-depth principles in input validation.

RemediationAI

Implement mandatory server-side validation of all user inputs, specifically validating that the interest_percentage parameter is a positive number (greater than zero) before accepting and storing loan plan data. This validation must occur in the backend API endpoint regardless of frontend controls. Code changes should include: (1) add a server-side check such as if (interest_percentage <= 0) { reject_request() } in the loan plan creation handler, (2) return a clear error message to the client if validation fails, and (3) log all rejected requests for audit purposes. Apply this remediation immediately to all instances of Loan Management System v1.0 in production. Additionally, conduct a data integrity audit to identify and correct any existing loan plans with negative interest rates already in the database. Future development should enforce server-side validation for all numeric and financial fields as a standard practice.

Share

CVE-2026-30521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy