CVE-2026-6022

Published Apr 22, 2026

Last updated a month ago

CVSS high 7.5

Overview

Description: In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.
Source: security@progress.com
NVD status: Analyzed
Products: telerik_ui_for_asp.net_ajax

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity: HIGH

Weaknesses

security@progress.com: CWE-400

Hype score: Not currently trending

⚠️ Vulnerabilidades en productos Progress ❗ CVE-2026-6023 ❗ CVE-2026-6022 ➡️ Más info: https://t.co/UuIARDDwv0 https://t.co/i1d3Th8sHU
@CERTpy
19 May 2026
80 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "E2294D8C-7233-41C4-8A32-DB1239FC7805",
            "versionEndExcluding": "2026.1.421",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References