CVE-2026-6023

EUVD-2026-24632
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
ProgressSoftwareCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
progresstelerik_ui_for_asp.net_ajax
2024.4.1114 ≤
𝑥
< 2026.1.421
CNA
Common Weakness Enumeration
References
https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023