Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionCVE.org
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the "Monthly Overdue Penalty" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate.
AnalysisAI
SourceCodester Loan Management System v1.0 allows authenticated administrators to submit negative penalty rates for loan overdue payments by bypassing client-side validation through direct HTTP POST manipulation, enabling financial fraud through reversed penalty calculations that benefit borrowers instead of lenders. The vulnerability requires authenticated access but no CVSS score, EPSS probability, or formal patch status is available; however, publicly available exploit code confirms the vulnerability's technical feasibility.
Technical ContextAI
The vulnerability stems from inadequate server-side input validation in the loan plan creation functionality. The application implements frontend JavaScript constraints that reject negative values in the 'Monthly Overdue Penalty' field, but these client-side controls are not mirrored by corresponding backend validation logic. An authenticated attacker can intercept the HTTP POST request containing the penalty_rate parameter and modify it to contain a negative number before it reaches the server. The server accepts this negative value and stores it in the database, causing the loan penalty calculation logic to invert the intended behavior-instead of charging borrowers additional fees for overdue payments, the system credits borrowers or reduces their principal, depending on how the penalty is applied in downstream calculations. This is a business logic flaw rather than a memory corruption or authentication bypass vulnerability, though it may be tagged as such due to the nature of its impact on authorization controls over financial transactions.
RemediationAI
The primary remediation is to implement server-side validation of the penalty_rate parameter that rejects any negative or zero values before the loan plan is created or updated. This validation must occur on the backend, independent of frontend constraints. Verify that all financial input fields (penalty rates, interest rates, fees) are validated to ensure they fall within acceptable positive ranges before being persisted to the database. Additionally, implement role-based access controls to restrict loan plan creation to only authorized administrators, and audit existing loan plans in the database to identify any with negative penalty rates that may indicate prior exploitation. Contact SourceCodester directly at the vendor's official security contact for availability of a patched version; consult the GitHub PoC at https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md for technical details of the bypass mechanism. No vendor-released patch is independently confirmed from available data.
More in Loan Management System
View allSourcecodester Loan Management System v1.0 is vulnerable to SQL Injection via the "password" parameter in the "login.php
Loan Management System 1.0 is vulnerable to SQL Injection at the login page, which allows unauthorized users to login as
A vulnerability was found in SourceCodester Loan Management System. Rated critical severity (CVSS 9.8), this vulnerabili
A vulnerability was found in SourceCodester Loan Management System and classified as critical.php. Rated high severity (
A vulnerability was found in SourceCodester Loan Management System 1.0. Rated high severity (CVSS 7.2), this vulnerabili
A vulnerability was found in SourceCodester Loan Management System 1.0 and classified as critical.php of the component L
A vulnerability has been found in SourceCodester Loan Management System 1.0 and classified as critical. Rated high sever
A vulnerability classified as critical was found in itsourcecode Loan Management System 1.0. Rated medium severity (CVSS
SourceCodester Loan Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the
Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Rated medium severity (
itsourcecode Loan Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via a crafted payload to the lastna
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17895