Skip to main content

Loan Management System CVE-2026-30522

| EUVDEUVD-2026-17895 MEDIUM
Client-Side Enforcement of Server-Side Security (CWE-602)
2026-04-01 cve@mitre.org
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
PoC Detected
Apr 01, 2026 - 18:44 vuln.today
Public exploit code
EUVD ID Assigned
Apr 01, 2026 - 14:22 euvd
EUVD-2026-17895
Analysis Generated
Apr 01, 2026 - 14:22 vuln.today
CVE Published
Apr 01, 2026 - 14:16 nvd
MEDIUM 6.5

DescriptionCVE.org

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the "Monthly Overdue Penalty" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate.

AnalysisAI

SourceCodester Loan Management System v1.0 allows authenticated administrators to submit negative penalty rates for loan overdue payments by bypassing client-side validation through direct HTTP POST manipulation, enabling financial fraud through reversed penalty calculations that benefit borrowers instead of lenders. The vulnerability requires authenticated access but no CVSS score, EPSS probability, or formal patch status is available; however, publicly available exploit code confirms the vulnerability's technical feasibility.

Technical ContextAI

The vulnerability stems from inadequate server-side input validation in the loan plan creation functionality. The application implements frontend JavaScript constraints that reject negative values in the 'Monthly Overdue Penalty' field, but these client-side controls are not mirrored by corresponding backend validation logic. An authenticated attacker can intercept the HTTP POST request containing the penalty_rate parameter and modify it to contain a negative number before it reaches the server. The server accepts this negative value and stores it in the database, causing the loan penalty calculation logic to invert the intended behavior-instead of charging borrowers additional fees for overdue payments, the system credits borrowers or reduces their principal, depending on how the penalty is applied in downstream calculations. This is a business logic flaw rather than a memory corruption or authentication bypass vulnerability, though it may be tagged as such due to the nature of its impact on authorization controls over financial transactions.

RemediationAI

The primary remediation is to implement server-side validation of the penalty_rate parameter that rejects any negative or zero values before the loan plan is created or updated. This validation must occur on the backend, independent of frontend constraints. Verify that all financial input fields (penalty rates, interest rates, fees) are validated to ensure they fall within acceptable positive ranges before being persisted to the database. Additionally, implement role-based access controls to restrict loan plan creation to only authorized administrators, and audit existing loan plans in the database to identify any with negative penalty rates that may indicate prior exploitation. Contact SourceCodester directly at the vendor's official security contact for availability of a patched version; consult the GitHub PoC at https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md for technical details of the bypass mechanism. No vendor-released patch is independently confirmed from available data.

CVE-2024-31678 CRITICAL POC
9.8 Apr 11

Sourcecodester Loan Management System v1.0 is vulnerable to SQL Injection via the "password" parameter in the "login.php

CVE-2022-37138 CRITICAL POC
9.8 Sep 14

Loan Management System 1.0 is vulnerable to SQL Injection at the login page, which allows unauthorized users to login as

CVE-2022-2766 CRITICAL POC
9.8 Aug 11

A vulnerability was found in SourceCodester Loan Management System. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2022-2667 HIGH POC
8.8 Aug 05

A vulnerability was found in SourceCodester Loan Management System and classified as critical.php. Rated high severity (

CVE-2023-6312 HIGH POC
7.2 Nov 27

A vulnerability was found in SourceCodester Loan Management System 1.0. Rated high severity (CVSS 7.2), this vulnerabili

CVE-2023-6311 HIGH POC
7.2 Nov 27

A vulnerability was found in SourceCodester Loan Management System 1.0 and classified as critical.php of the component L

CVE-2023-6310 HIGH POC
7.2 Nov 27

A vulnerability has been found in SourceCodester Loan Management System 1.0 and classified as critical. Rated high sever

CVE-2024-6192 MEDIUM POC
6.9 Jun 20

A vulnerability classified as critical was found in itsourcecode Loan Management System 1.0. Rated medium severity (CVSS

CVE-2023-27242 MEDIUM POC
5.4 Mar 24

SourceCodester Loan Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the

CVE-2022-37139 MEDIUM POC
5.4 Sep 14

Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Rated medium severity (

CVE-2024-48415 MEDIUM
5.0 Oct 22

itsourcecode Loan Management System v1.0 is vulnerable to Cross Site Scripting (XSS) via a crafted payload to the lastna

Share

CVE-2026-30522 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy