{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2878", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-02-20T16:20:51.770Z", "datePublished": "2026-02-25T14:45:11.142Z", "dateUpdated": "2026-02-27T17:06:16.616Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Telerik UI for ASP.NET AJAX", "vendor": "Progress Software", "versions": [{"lessThan": "2026.1.225", "status": "affected", "version": "2011.2.712", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Monetary Authority of Singapore"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering."}], "value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering."}], "impacts": [{"capecId": "CAPEC-149", "descriptions": [{"lang": "en", "value": "CAPEC-149 Explore for Predictable Temporary File Names"}]}, {"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26 Leveraging Race Conditions"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-331", "description": "CWE-331 Insufficient Entropy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-02-25T14:45:11.142Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878"}], "source": {"discovery": "EXTERNAL"}, "title": "Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T17:06:09.729072Z", "id": "CVE-2026-2878", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:06:16.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2878", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T17:06:09.729072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T17:06:13.052Z"}}], "cna": {"title": "Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Monetary Authority of Singapore"}], "impacts": [{"capecId": "CAPEC-149", "descriptions": [{"lang": "en", "value": "CAPEC-149 Explore for Predictable Temporary File Names"}]}, {"capecId": "CAPEC-26", "descriptions": [{"lang": "en", "value": "CAPEC-26 Leveraging Race Conditions"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "Telerik UI for ASP.NET AJAX", "versions": [{"status": "affected", "version": "2011.2.712", "lessThan": "2026.1.225", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.", "supportingMedia": [{"type": "text/html", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-331", "description": "CWE-331 Insufficient Entropy"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-02-25T14:45:11.142Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2878", "state": "PUBLISHED", "dateUpdated": "2026-02-27T17:06:16.616Z", "dateReserved": "2026-02-20T16:20:51.770Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-02-25T14:45:11.142Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AFBB775-6FF6-4965-9CA9-0BA2F10494F7", "versionEndExcluding": "2026.1.225", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering."}], "id": "CVE-2026-2878", "lastModified": "2026-02-26T15:23:31.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-25T15:20:54.293", "references": [{"source": "security@progress.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-insufficient-entropy-cve-2026-2878"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-331"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2011.2.712,2026.1.225)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Telerik UI for ASP.NET AJAX", "source": "cna", "vendor": "Progress Software"}, "product": "telerik_ui_for_asp.net_ajax", "vendor": "progress"}], "analysis": {"en": {"generated_at": "2026-04-17T15:15:25.894315+00:00", "value": {"mitigation_remediation": ["Upgrade Telerik UI for ASP.NET AJAX to version 2026.1.225 or later to eliminate the entropy flaw.", "If upgrading is not immediately possible, disable or remove the RadAsyncUpload component from your application to prevent use of the vulnerable code path.", "For custom upload handling, ensure that temporary filenames incorporate high\u2011entropy values\u2014such as a random UUID or a cryptographic hash\u2014to prevent collisions and maintain file integrity."], "summary": {"action": "Apply Patch", "impact": "Potential file content tampering due to predictable temporary identifiers"}, "threat_synthesis": {"affected_systems": "This vulnerability affects installations of Progress Software\u2019s Telerik UI for ASP.NET AJAX, specifically all versions earlier than 2026.1.225. Users of legacy versions should review their deployment to confirm whether RadAsyncUpload is used for handling file uploads.", "description_and_impact": "The issue resides in the RadAsyncUpload component of Progress Software\u2019s Telerik UI for ASP.NET AJAX. Prior to version 2026.1.225 the component generates a temporary file identifier that is only based on the current timestamp and the original filename. This lack of entropy allows an attacker to cause hash collisions, thereby enabling manipulation of the file contents stored on the server. The weakness is a classic example of insufficient entropy (CWE\u2011331), resulting in a medium severity vulnerability (CVSS 5.3) that could compromise integrity of uploaded files. The CVSS score reflects moderate impact, but the exploitation probability is low (EPSS < 1%).", "risk_and_exploitability": "Exploit requires an attacker\u2019s ability to upload a file through the RadAsyncUpload control. By manipulating the predictable temporary identifier, the attacker may force a collision and replace or modify the content of an existing upload. The likely attack vector is through the RadAsyncUpload component when a file upload operation is performed. Based on the description, it is inferred that the upload interface might be publicly exposed, allowing remote exploitation. The vulnerability can be leveraged locally or remotely if the upload interface is publicly exposed. Given the low EPSS score and absence from the KEV catalog, the current threat level remains medium but warrants remediation before an exploit surfaces."}}}}, "created": "2026-02-26T13:16:02.641890+00:00", "updated": "2026-04-17T15:30:06.012479+00:00", "vendors": ["progress", "progress$PRODUCT$telerik_ui_for_asp.net_ajax"]}