Skip to main content

SourceCodester Loan Management System CVE-2026-30523

| EUVDEUVD-2026-17897 MEDIUM
Improper Input Validation (CWE-20)
2026-04-01 mitre
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
PoC Detected
Apr 07, 2026 - 12:03 vuln.today
Public exploit code
EUVD ID Assigned
Apr 01, 2026 - 15:00 euvd
EUVD-2026-17897
Analysis Generated
Apr 01, 2026 - 15:00 vuln.today
CVE Published
Apr 01, 2026 - 00:00 nvd
MEDIUM 6.5

DescriptionCVE.org

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which determine the duration of a loan (in months). However, the backend fails to validate that the duration must be a positive integer. An attacker can submit a negative value for the months parameter. The system accepts this invalid data and creates a loan plan with a negative duration.

AnalysisAI

SourceCodester Loan Management System v1.0 accepts negative integer values for loan plan duration due to insufficient input validation on the months parameter, allowing attackers to create loan plans with invalid negative durations that may cause unexpected system behavior or financial miscalculations. Publicly available exploit code exists, though real-world impact depends on downstream business logic that consumes these invalid loan plans.

Technical ContextAI

The vulnerability stems from a business logic flaw in the loan plan creation functionality where the backend fails to enforce a simple positive integer validation constraint on the duration (months) parameter. This is a classic input validation gap where the application accepts user-supplied data without verifying it meets expected business constraints. The affected component handles loan plan configuration, a core administrative function that should restrict duration values to logically valid ranges (positive integers). The lack of validation allows an attacker with administrative privileges to inject semantically invalid but syntactically acceptable data into the system's data store, potentially causing downstream calculation errors or application crashes if other components assume loan duration is always positive.

RemediationAI

The primary remediation is to upgrade SourceCodester Loan Management System to a patched version if available from the vendor; contact SourceCodester support to confirm patch availability and obtain the fixed release. As a compensating control pending vendor patching, implement server-side input validation on the loan plan duration parameter to reject any non-positive integer values before persisting to the database, and restrict the loan plan creation API to only trusted administrator accounts via role-based access control. Additionally, audit existing loan plans in the database for any records with negative or zero duration values and correct them manually. For technical details and proof-of-concept context, refer to the GitHub PoC: https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeMonths.md

Share

CVE-2026-30523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy