{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30522", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T15:37:44.224Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T14:00:36.059Z"}, "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create \"Loan Plans\" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the \"Monthly Overdue Penalty\" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-602", "lang": "en", "description": "CWE-602 Client-Side Enforcement of Server-Side Security"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:37:14.053588Z", "id": "CVE-2026-30522", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:37:44.224Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-30522", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T15:37:14.053588Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602 Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:35:50.703Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md"}], "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create \"Loan Plans\" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the \"Monthly Overdue Penalty\" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T14:00:36.059Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30522", "state": "PUBLISHED", "dateUpdated": "2026-04-01T15:37:44.224Z", "dateReserved": "2026-03-04T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:loan_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "7902576E-876D-4BE4-8EF6-28B7403B130D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create \"Loan Plans\" with specific penalty rates for overdue payments. While the frontend interface prevents users from entering negative numbers in the \"Monthly Overdue Penalty\" field, this constraint is not enforced on the backend. An authenticated attacker can bypass the client-side restriction by manipulating the HTTP POST request to submit a negative value for the penalty_rate."}], "id": "CVE-2026-30522", "lastModified": "2026-04-01T18:44:04.007", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T14:16:50.027", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "loan_management_system", "vendor": "oretnom23"}], "analysis": {"en": {"generated_at": "2026-04-02T03:13:36.216919+00:00", "value": {"mitigation_remediation": ["Update the application to the latest vendor release if a patch exists that validates penalty values on the server side.", "Implement server\u2011side validation that rejects any negative values for the monthly overdue penalty field.", "Ensure that the admin interface accepts only numeric values greater than or equal to zero.", "Review existing loan plans for negative penalty rates and correct them if discovered.", "Enable two\u2011factor authentication for all administrative accounts to reduce credential compromise risk.", "Monitor logs for unusual or unauthorized loan plan modifications and alert administrators."], "summary": {"action": "Assess Impact", "impact": "Financial Loss via Negative Penalty Rates"}, "threat_synthesis": {"affected_systems": "SourceCodester Loan Management System version 1.0 is the only product named in the CNA data. No other vendors or product versions are indicated.", "description_and_impact": "A business logic flaw in the SourceCodester Loan Management System permits an authenticated administrator to set a negative monthly overdue penalty when creating loan plans, because the backend does not enforce server\u2011side validation. The front\u2011end interface mistakenly blocks negative input, but an attacker can bypass this by forging the HTTP POST request. This enables borrowers to receive a reduced or even negative penalty, creating a financial advantage for the attacker and a monetary loss for the institution. The vulnerability is identified as CWE-602, reflecting unvalidated dependency logic.", "risk_and_exploitability": "The CVSS base score of 6.5 indicates moderate severity. Exploitation requires administrative credentials and the ability to submit crafted requests, while no EPSS data or KEV listing is available. Consequently, the probability of exploitation is uncertain, but the potential financial impact is clear once the flaw is leveraged. Administrators should monitor changes to loan plans and enforce server-side checks promptly."}}}}, "created": "2026-04-02T07:51:20.235740+00:00", "title": "Negative Overdue Penalty Allows Unauthorized Financial Gain", "updated": "2026-04-02T20:09:51.482465+00:00", "vendors": ["oretnom23", "oretnom23$PRODUCT$loan_management_system"]}