Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which determine the duration of a loan (in months). However, the backend fails to validate that the duration must be a positive integer. An attacker can submit a negative value for the months parameter. The system accepts this invalid data and creates a loan plan with a negative duration.
AnalysisAI
SourceCodester Loan Management System v1.0 accepts negative integer values for loan plan duration due to insufficient input validation on the months parameter, allowing attackers to create loan plans with invalid negative durations that may cause unexpected system behavior or financial miscalculations. Publicly available exploit code exists, though real-world impact depends on downstream business logic that consumes these invalid loan plans.
Technical ContextAI
The vulnerability stems from a business logic flaw in the loan plan creation functionality where the backend fails to enforce a simple positive integer validation constraint on the duration (months) parameter. This is a classic input validation gap where the application accepts user-supplied data without verifying it meets expected business constraints. The affected component handles loan plan configuration, a core administrative function that should restrict duration values to logically valid ranges (positive integers). The lack of validation allows an attacker with administrative privileges to inject semantically invalid but syntactically acceptable data into the system's data store, potentially causing downstream calculation errors or application crashes if other components assume loan duration is always positive.
RemediationAI
The primary remediation is to upgrade SourceCodester Loan Management System to a patched version if available from the vendor; contact SourceCodester support to confirm patch availability and obtain the fixed release. As a compensating control pending vendor patching, implement server-side input validation on the loan plan duration parameter to reject any non-positive integer values before persisting to the database, and restrict the loan plan creation API to only trusted administrator accounts via role-based access control. Additionally, audit existing loan plans in the database for any records with negative or zero duration values and correct them manually. For technical details and proof-of-concept context, refer to the GitHub PoC: https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeMonths.md
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17897