CVE-2026-30523
Business Logic Flaw in SourceCodester Loan Management Allows Negative Duration
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | loan_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30523 is a Business Logic vulnerability in SourceCodester Loan Management System version 1.0. It occurs because the system does not properly validate the input for the loan duration parameter called 'months'. Specifically, the system allows administrators or attackers to submit negative values for the loan duration, which should logically be a positive integer.
This flaw leads to the creation of loan plans with negative durations, which is invalid and causes corruption of the business logic. Since loan schedules and due date calculations depend on positive timeframes, the negative values can cause errors such as incorrect schedule generation, potential exceptions, infinite loops, and inconsistencies in the database.
How can this vulnerability impact me? :
The vulnerability can impact you by causing corruption of the loan management system's business logic. Loan plans with negative durations can disrupt the normal processing of loans, leading to errors in schedule generation and due date calculations.
This can result in system instability, such as exceptions or infinite loops during loan processing, and may cause inconsistencies in the database. Ultimately, this could affect the reliability and correctness of loan management operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the Plan Management component of the Loan Management System, specifically the endpoint `ajax.php?action=save_plan`. By sending a POST request with the `months` parameter set to a negative value, you can verify if the system improperly accepts it.
A suggested command to test this is using curl to send a crafted POST request:
- curl -X POST -d "action=save_plan&months=-2" http://[target]/ajax.php
If the system accepts this request and creates a loan plan with a negative duration, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing proper input validation on the `months` parameter to ensure it only accepts positive integers.
Additionally, reviewing and correcting any existing loan plans with negative durations in the database can help prevent logical errors.
If possible, restrict access to the Plan Management endpoint to trusted administrators and monitor for suspicious input values.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.