CVE-2026-30521
Business Logic Flaw in SourceCodester Loan Management System Allows Negative Interest Rates
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | loan_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Business Logic flaw in the SourceCodester Loan Management System version 1.0. It occurs because the server does not properly validate input on the backend when administrators create loan plans with specific interest rates.
While the frontend interface prevents users from entering negative interest rates by blocking such input, this restriction is not enforced on the server side. An authenticated attacker can bypass the frontend validation by manipulating the HTTP POST request to submit a negative value for the interest_percentage parameter.
As a result, loan plans with negative interest rates can be created, which violates the system's financial logic and can cause incorrect loan calculations.
How can this vulnerability impact me? :
This vulnerability can impact you by corrupting financial data integrity within the Loan Management System.
It disrupts the business logic by allowing loan calculations to yield incorrect or negative interest amounts.
If such loan plans with negative interest rates are applied to real loans, it could lead to financial loss because the system might deduct money instead of adding interest.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to create a loan plan with a negative interest rate via a manipulated HTTP POST request to the endpoint ajax.php?action=save_plan. Since the frontend blocks negative values but the backend does not validate them, sending a crafted POST request with a negative interest_percentage value will reveal if the system is vulnerable.
A practical detection method is to use a curl command to send such a request and observe if the system accepts the negative interest rate.
- curl --compressed -s -i -X POST 'http://127.0.0.1:8082/ajax.php?action=save_plan' \
- -F "id=" \
- -F "months=12" \
- -F "interest_percentage=-5.5" \
- -F "penalty_rate=2" \
- -w "\nHTTP_STATUS:%{http_code}" \
- -H "Cookie: PHPSESSID=YOUR_COOKIE_HERE"
If the response indicates success and the loan plan is created with a negative interest rate, the vulnerability exists.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper server-side validation to reject any negative values for the interest_percentage parameter when creating loan plans.
Since the frontend validation can be bypassed, the backend must enforce constraints to ensure that only valid, non-negative interest rates are accepted.
Additionally, review and sanitize all inputs on the server side to prevent manipulation of business logic.
If possible, temporarily restrict administrator access or monitor logs for suspicious POST requests attempting to submit negative interest rates until a patch or update is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.