Description
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.
Published: 2026-03-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Negative Interest Rate Creation
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an authenticated user to create loan plans with negative interest rates by sending a modified POST request that circumvents client‑side validation. This business‑logic flaw lets the attacker define loan products that effectively reward borrowers or drain funds, undermining financial integrity.

Affected Systems

The vulnerability impacts SourceCodester's Loan Management System, version 1.0. Administrators of this application can create loan plans with any interest percentage due to missing server‑side checks.

Risk and Exploitability

The flaw carries a CVSS score of 6.5 and an EPSS score below 1 %. It is not listed in the CISA KEV catalog. Exploitation requires valid administrative credentials and the ability to alter the interest_percentage field in an HTTP POST request. Successful exploitation grants the attacker the ability to create loan products with undesired negative rates, resulting in financial loss or benefit.

Generated by OpenCVE AI on April 2, 2026 at 22:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor release that enforces server‑side validation of interest rates.
  • If no update is available, modify the backend to reject negative values for interest_percentage before persisting loan plans.
  • Review all existing loan plans for negative interest rates and adjust or invalidate those entries.
  • Monitor administrative actions for creation of loan plans with negative rates and investigate anomalies.

Generated by OpenCVE AI on April 2, 2026 at 22:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Business Logic Flaw Enables Negative Interest Rates in Loan Management System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Interest Rate Allows Escalated Loan Plan Creation
Weaknesses CWE-190
CWE-20

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-602
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 loan Management System
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oretnom23:loan_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 loan Management System
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Negative Interest Rate Allows Escalated Loan Plan Creation
First Time appeared Sourcecodester
Sourcecodester loan Management System
Weaknesses CWE-190
CWE-20
Vendors & Products Sourcecodester
Sourcecodester loan Management System

Tue, 31 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates.
References

Subscriptions

Oretnom23 Loan Management System
Sourcecodester Loan Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T14:37:03.326Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30521

cve-icon Vulnrichment

Updated: 2026-04-02T14:36:53.969Z

cve-icon NVD

Status : Modified

Published: 2026-03-31T19:16:25.753

Modified: 2026-04-02T15:16:36.773

Link: CVE-2026-30521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:37:58Z

Weaknesses