CVE-2026-30521 - Vulnerability Details

Description

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.

Published: 2026-03-31

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A business logic flaw in SourceCodester Loan Management System version 1.0 permits authenticated administrators to submit negative values for the interest_percentage field. The client‑side interface blocks negative entries, but the server does not enforce this rule, enabling an attacker to craft an HTTP POST request with a negative interest rate. This results in loan plans that effectively pay the borrower rather than charging interest, potentially causing direct financial loss or undermining the system’s economic model.

Affected Systems

The vulnerability affects the SourceCodester Loan Management System, specifically the Loan Plan creation module in version 1.0. No other vendors or products were identified in the CNA data.

Risk and Exploitability

The flaw is limited to users who can authenticate with administrative privileges, so an attacker must first compromise or obtain valid credentials. No CVSS score, EPSS score, or KEV listing is available, but the financial implications are significant, as negative interest rates can erase loan repayments or generate fraudulent profit. With an approved authentication vector, the exploitation is straightforward: submit a signed POST request containing a negative interest_percentage and the system will accept and store the plan. The lack of server‑side validation makes this straightforward and time‑invariant, indicating a high exploitable risk for any organization still running this unpatched software.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Loan Management System

80%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply vendor patch for SourceCodester Loan Management System v1.0 if available
Implement server‑side validation to reject negative interest_percentage values
Enforce a numeric range check (e.g., 0–100%) for all interest rate inputs
Perform a thorough code review to confirm all user‑supplied parameters are validated on the server
Monitor application logs for creation of loan plans with negative interest rates

Generated by OpenCVE AI on March 31, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeInterest.md

History

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
Title		Negative Interest Rate Allows Escalated Loan Plan Creation
First Time appeared		Sourcecodester Sourcecodester loan Management System
Weaknesses		CWE-190 CWE-20
Vendors & Products		Sourcecodester Sourcecodester loan Management System

Tue, 31 Mar 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.
References		https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeInterest.md

Subscriptions

Sourcecodester Loan Management System

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-31T00:00:00.000Z

Updated: 2026-03-31T18:07:33.773Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30521

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-31T19:16:25.753

Modified: 2026-03-31T19:16:25.753

Link: CVE-2026-30521

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-31T20:39:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object