Description
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which determine the duration of a loan (in months). However, the backend fails to validate that the duration must be a positive integer. An attacker can submit a negative value for the months parameter. The system accepts this invalid data and creates a loan plan with a negative duration.
Published: 2026-04-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Business logic flaw permitting creation of loan plans with negative durations that may lead to perpetual or otherwise abused financial products
Action: Patch now
AI Analysis

Impact

The system allows administrators to configure loan plans solely by specifying a duration in months, but the backend omits validation that this value must be a positive integer. An attacker who can submit an administrative request can send a negative months value; the system stores this invalid plan and accepts it as a legitimate loan schedule. Because the loan duration can become negative, it may effectively grant a loan that never matures or otherwise distort financial reporting and risk exposure, constituting an exploitable business logic error.

Affected Systems

The SourceCodester Loan Management System, version 1.0, is vulnerable. No other vendor or product versions are mentioned, and the vulnerability is specific to this application stack.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is considered moderate in severity. The EPSS score is below 1 %, indicating that widespread exploitation is unlikely at present, and the vulnerability is not yet listed in CISA's KEV catalog. Because the flaw requires an administrative context to create a loan plan, the attack vector is likely “local” or “authenticated” rather than remote. An attacker who can force the months parameter to a negative number can create loan plans that may never expire or otherwise misrepresent loan terms, potentially enabling financial abuse. No publicly disclosed exploits exist, but the low exploitation probability does not eliminate the need to address the underlying input validation bug.

Generated by OpenCVE AI on April 7, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Synchronize the application code to enforce that the loan duration must be a positive integer before persisting the plan. "i.e., add input validation in the backend service that rejects or corrects negative values.
  • If an official patch or newer version of SourceCodester Loan Management System that includes this validation is available, upgrade immediately.
  • Restrict administrative access to trusted personnel and monitor account activity for attempts to create loan plans with anomalous parameters.
  • Apply general secure coding best practices, such as implementing server‑side validation for all inputs irrespective of client‑side checks.

Generated by OpenCVE AI on April 7, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Negative Duration Loan Plan Allowance

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Oretnom23
Oretnom23 loan Management System
CPEs cpe:2.3:a:oretnom23:loan_management_system:1.0:*:*:*:*:*:*:*
Vendors & Products Oretnom23
Oretnom23 loan Management System

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Negative Duration Loan Plan Allowance
First Time appeared Sourcecodester
Sourcecodester loan Management System
Vendors & Products Sourcecodester
Sourcecodester loan Management System

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which determine the duration of a loan (in months). However, the backend fails to validate that the duration must be a positive integer. An attacker can submit a negative value for the months parameter. The system accepts this invalid data and creates a loan plan with a negative duration.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Oretnom23 Loan Management System
Sourcecodester Loan Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T17:56:53.409Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30523

cve-icon Vulnrichment

Updated: 2026-04-01T17:56:23.867Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T15:22:59.170

Modified: 2026-04-07T12:03:10.197

Link: CVE-2026-30523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:00Z

Weaknesses