CVE-2024-12251

HIGH

Telerik UI for WinUI 2.0.0-2.0.0 - Command Injection via Hyperlink Element

Title source: llm

Description

In Progress Telerik UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

References (1)

Core 1

Core References

Vendor Advisory

https://docs.telerik.com/devtools/winui/security/kb-security-command-injection-cve-2024-12251

Scores

CVSS v3 7.8

EPSS 0.0024

EPSS Percentile 47.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Products (3)

progress/telerik_ui_for_winui 2.0.0 - 3.0.0

Progress Software/Telerik UI for WinUI 2.0.0 - 3.0.0

telerik/ui_for_winui 2.0.0 - 3.0.0

Published Feb 12, 2025

Tracked Since Feb 18, 2026