{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30521", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-02T14:37:03.326Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-31T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-31T18:07:33.773Z"}, "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create \"Loan Plans\" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeInterest.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-602", "lang": "en", "description": "CWE-602 Client-Side Enforcement of Server-Side Security"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T14:34:20.710448Z", "id": "CVE-2026-30521", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T14:37:03.326Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:loan_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7902576E-876D-4BE4-8EF6-28B7403B130D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create \"Loan Plans\" with specific interest rates. While the frontend interface prevents users from entering negative numbers, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the interest_percentage. This results in the creation of loan plans with negative interest rates."}], "id": "CVE-2026-30521", "lastModified": "2026-04-01T20:41:17.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T19:16:25.753", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeInterest.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "loan_management_system", "vendor": "sourcecodester"}], "analysis": {"en": {"generated_at": "2026-03-31T19:26:25.080236+00:00", "value": {"mitigation_remediation": ["Apply vendor patch for SourceCodester Loan Management System v1.0 if available", "Implement server\u2011side validation to reject negative interest_percentage values", "Enforce a numeric range check (e.g., 0\u2013100%) for all interest rate inputs", "Perform a thorough code review to confirm all user\u2011supplied parameters are validated on the server", "Monitor application logs for creation of loan plans with negative interest rates"], "summary": {"action": "Patch Immediately", "impact": "Business logic manipulation allowing creation of loan plans with negative interest rates"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the SourceCodester Loan Management System, specifically the Loan Plan creation module in version 1.0. No other vendors or products were identified in the CNA data.", "description_and_impact": "A business logic flaw in SourceCodester Loan Management System version 1.0 permits authenticated administrators to submit negative values for the interest_percentage field. The client\u2011side interface blocks negative entries, but the server does not enforce this rule, enabling an attacker to craft an HTTP POST request with a negative interest rate. This results in loan plans that effectively pay the borrower rather than charging interest, potentially causing direct financial loss or undermining the system\u2019s economic model.", "risk_and_exploitability": "The flaw is limited to users who can authenticate with administrative privileges, so an attacker must first compromise or obtain valid credentials. No CVSS score, EPSS score, or KEV listing is available, but the financial implications are significant, as negative interest rates can erase loan repayments or generate fraudulent profit. With an approved authentication vector, the exploitation is straightforward: submit a signed POST request containing a negative interest_percentage and the system will accept and store the plan. The lack of server\u2011side validation makes this straightforward and time\u2011invariant, indicating a high exploitable risk for any organization still running this unpatched software."}}}}, "created": "2026-03-31T19:56:49.791496+00:00", "title": "Negative Interest Rate Allows Escalated Loan Plan Creation", "updated": "2026-03-31T20:39:46.672307+00:00", "vendors": ["sourcecodester", "sourcecodester$PRODUCT$loan_management_system"], "weaknesses": ["CWE-20", "CWE-190"]}