CVE-2026-30520

A Blind SQL Injection vulnerability exists in SourceCodester Loan Management System v1.0. The vulnerability is located in the ajax.php file (specifically the save loan action). The application fails to properly sanitize user input supplied to the "borrower id" parameter in a POST request, allowing an authenticated attacker to inject malicious SQL commands.