CVE-2026-6023

HIGH

Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX

Title source: cna

Description

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

References (1)

[Vendor Advisory] https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023

Scores

CVSS v3 8.1

EPSS 0.0045

EPSS Percentile 63.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (1)

Progress Software/Telerik UI for ASP.NET AJAX 2024.4.1114 - 2026.1.421

Published Apr 22, 2026

Tracked Since Apr 22, 2026