Home / Vulnerability Intelligence / CVE-2026-30522

CVE-2026-30522 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: April 1, 2026

SourceCodester Loan Management System - Business Logic Vulnerability

Published: April 1, 2026Updated: April 1, 2026PoC AvailableRemote Exploitable

Overview

SourceCodester Loan Management System v1.0 contains a business logic vulnerability caused by improper server-side validation of the "Monthly Overdue Penalty" field, letting authenticated attackers submit negative penalty rates by manipulating HTTP POST requests.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Authenticated attackers can manipulate penalty rates, potentially disrupting loan calculations and financial data integrity.

Mitigation

Update to the latest version with proper server-side validation for penalty rates.

References

https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/BusinessLogic-LoanPlan-NegativePenalty.md

Related Resources

Details

CVE ID: CVE-2026-30522
Severity: Medium
CVSS Score: 6.5
Type: broken_access_control
Status: confirmed

CWE

CWE-602

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N