The issue resides in the RadAsyncUpload component of Progress Software’s Telerik UI for ASP.NET AJAX. Prior to version 2026.1.225 the component generates a temporary file identifier that is only based on the current timestamp and the original filename. This lack of entropy allows an attacker to cause hash collisions, thereby enabling manipulation of the file contents stored on the server. The weakness is a classic example of insufficient entropy (CWE‑331), resulting in a medium severity vulnerability (CVSS 5.3) that could compromise integrity of uploaded files. The CVSS score reflects moderate impact, but the exploitation probability is low (EPSS < 1%).

This vulnerability affects installations of Progress Software’s Telerik UI for ASP.NET AJAX, specifically all versions earlier than 2026.1.225. Users of legacy versions should review their deployment to confirm whether RadAsyncUpload is used for handling file uploads.

Exploit requires an attacker’s ability to upload a file through the RadAsyncUpload control. By manipulating the predictable temporary identifier, the attacker may force a collision and replace or modify the content of an existing upload. The likely attack vector is through the RadAsyncUpload component when a file upload operation is performed. Based on the description, it is inferred that the upload interface might be publicly exposed, allowing remote exploitation. The vulnerability can be leveraged locally or remotely if the upload interface is publicly exposed. Given the low EPSS score and absence from the KEV catalog, the current threat level remains medium but warrants remediation before an exploit surfaces.