CVE-2026-6023

Published Apr 22, 2026

Last updated a month ago

CVSS high 8.1

Overview

Description: In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
Source: security@progress.com
NVD status: Analyzed
Products: telerik_ui_for_asp.net_ajax

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

security@progress.com: CWE-502

Hype score: Not currently trending

⚠️ Vulnerabilidades en productos Progress ❗ CVE-2026-6023 ❗ CVE-2026-6022 ➡️ Más info: https://t.co/UuIARDDwv0 https://t.co/i1d3Th8sHU
@CERTpy
19 May 2026
80 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "B012BE59-AF83-4A7E-A693-11B6E0ACB2C2",
            "versionEndExcluding": "2026.1.421",
            "versionStartIncluding": "2024.4.1114",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References