{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6023", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-04-09T15:47:27.389Z", "datePublished": "2026-04-22T07:13:07.933Z", "dateUpdated": "2026-04-23T03:56:12.523Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-22T07:13:07.933Z"}, "title": "Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Progress Software", "product": "Telerik UI for ASP.NET AJAX", "versions": [{"status": "affected", "version": "2024.4.1114", "lessThan": "2026.1.421", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.</p>"}]}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-6023"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T03:56:12.523Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6023", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T12:23:03.512197Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T12:23:08.749Z"}}], "cna": {"title": "Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX", "source": {"discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Progress Software", "product": "Telerik UI for ASP.NET AJAX", "versions": [{"status": "affected", "version": "2024.4.1114", "lessThan": "2026.1.421", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.", "supportingMedia": [{"type": "text/html", "value": "<p>In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-22T07:13:07.933Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6023", "state": "PUBLISHED", "dateUpdated": "2026-04-22T12:23:21.638Z", "dateReserved": "2026-04-09T15:47:27.389Z", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "datePublished": "2026-04-22T07:13:07.933Z", "assignerShortName": "ProgressSoftware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*", "matchCriteriaId": "B012BE59-AF83-4A7E-A693-11B6E0ACB2C2", "versionEndExcluding": "2026.1.421", "versionStartIncluding": "2024.4.1114", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible."}], "id": "CVE-2026-6023", "lastModified": "2026-05-05T18:39:06.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "security@progress.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T08:16:13.040", "references": [{"source": "security@progress.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2024.4.1114,2026.1.421)"}}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Telerik UI for ASP.NET AJAX", "source": "cna", "vendor": "Progress Software"}, "product": "telerik_ui_for_asp.net_ajax", "vendor": "progress"}], "analysis": {"en": {"generated_at": "2026-04-22T08:50:48.012130+00:00", "value": {"mitigation_remediation": ["Apply the vendor-published security patch or upgrade to a Telerik UI for ASP.NET AJAX version that includes the fix for the RadFilter deserialization issue.", "Disable client\u2011side state persistence for RadFilter until the patch is applied, for example by setting the StoreState property to false or removing the control from the page.", "Implement server\u2011side validation for incoming filter state data to ensure only expected and properly formatted data is deserialized, or restrict deserialization to trusted sources."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Progress Software\u2019s Telerik UI for ASP.NET AJAX products are affected in versions 2024.4.1114 through 2026.1.421. These are the releases that include the RadFilter control vulnerable to tampered client\u2011exposed state.", "description_and_impact": "This vulnerability is caused by insecure deserialization of the RadFilter control's state when that state is made available to the client. An attacker can modify the serialized filter data before it is sent back to the server; the server then deserializes the tampered input, which can lead to execution of arbitrary code on the server. The weakness is classified as CWE-502. The impact is a server\u2011side remote code execution that compromises confidentiality, integrity, and availability of the affected application and any underlying system resources.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high\u2011severity vulnerability. The exploit probability is not quantified by EPSS, but the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an attacker to supply crafted filter state data from the client side; therefore, an attacker must be able to inject or modify a request containing the serialized filter state. If successful, remote code execution is possible on the application server."}}}}, "created": "2026-04-22T09:00:09.431770+00:00", "updated": "2026-04-22T11:30:15.175551+00:00", "vendors": ["progress", "progress$PRODUCT$telerik_ui_for_asp.net_ajax"]}