CVE-2026-6022

HIGH

Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

Title source: cna

Description

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.

References (1)

[Vendor Advisory] https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (1)

Progress Software/Telerik UI for ASP.NET AJAX 2011.2.712 - 2026.1.421

Published Apr 22, 2026

Tracked Since Apr 22, 2026