Zero Day MonitorZDM

← Back to list

6.5

CVE-2026-30523

SourceCodester · Loan Management System

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which deter

Description

A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to the lack of proper input validation. The application allows administrators to define "Loan Plans" which determine the duration of a loan (in months). However, the backend fails to validate that the duration must be a positive integer. An attacker can submit a negative value for the months parameter. The system accepts this invalid data and creates a loan plan with a negative duration.

Affected Products

Vendor	Product	Versions
SourceCodester	Loan Management System	1.0

References

https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativeMonths.md

Related News (1 articles)

Tier C

VulDB22h ago

CVE-2026-30523 | SourceCodester Loan Management System 1.0 Loan Plans months logic error (EUVD-2026-17897)

→ No new info (linked only)

CVSS 3.16.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-20

PublishedApr 1, 2026

Last enriched17h agov2

Trending Score21

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-30573

A Business Logic vulnerability exists in SourceCodester Pharmacy Product Management System 1.0. The vulnerability is located in the add-sales.php file. The application fails to validate the "txtprice"

MEDIUMCVE-2026-30526

A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Zoo Management System v1.0. The vulnerability is located in the login page, specifically within the msg parameter. The app

MEDIUMCVE-2026-5330

SourceCodester/mayuri_k Best Courier Management System User Delete ajax.php access control

MEDIUMCVE-2026-5326

SourceCodester Leave Application System User Information index.php authorization

LOWCVE-2026-5325

SourceCodester Simple Customer Relationship Management System Create Ticket create-ticket.php cross site scripting

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: vendor, product, affectedVersions

Apr 1, 2026

Version History

v2

Last enriched 17h ago

v2Tier C17h ago

Updated vendor and product information, marked the severity as HIGH, and noted that the vulnerability is actively exploited.

vendorproductaffectedVersions

via VulDB

v118h ago

Initial creation