CVE-2026-30520

A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save_loan action). The application fails to properly sanitize user input supplied to the “borrower_id” parameter in a POST request, allowing an authenticated attacker to inject malicious SQL commands.

More information : https://github.com/meifukun/Web-Security-PoCs/blob/main/Loan-Management-System/SQLi-SaveLoan-borrowerId.md