Description
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
Published: 2026-04-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is caused by insecure deserialization of the RadFilter control's state when that state is made available to the client. An attacker can modify the serialized filter data before it is sent back to the server; the server then deserializes the tampered input, which can lead to execution of arbitrary code on the server. The weakness is classified as CWE-502. The impact is a server‑side remote code execution that compromises confidentiality, integrity, and availability of the affected application and any underlying system resources.

Affected Systems

Progress Software’s Telerik UI for ASP.NET AJAX products are affected in versions 2024.4.1114 through 2026.1.421. These are the releases that include the RadFilter control vulnerable to tampered client‑exposed state.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity vulnerability. The exploit probability is not quantified by EPSS, but the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires an attacker to supply crafted filter state data from the client side; therefore, an attacker must be able to inject or modify a request containing the serialized filter state. If successful, remote code execution is possible on the application server.

Generated by OpenCVE AI on April 22, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-published security patch or upgrade to a Telerik UI for ASP.NET AJAX version that includes the fix for the RadFilter deserialization issue.
  • Disable client‑side state persistence for RadFilter until the patch is applied, for example by setting the StoreState property to false or removing the control from the page.
  • Implement server‑side validation for incoming filter state data to ensure only expected and properly formatted data is deserialized, or restrict deserialization to trusted sources.

Generated by OpenCVE AI on April 22, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress telerik Ui For Asp.net Ajax
Vendors & Products Progress
Progress telerik Ui For Asp.net Ajax

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
Title Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Progress Telerik Ui For Asp.net Ajax
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-23T03:56:12.523Z

Reserved: 2026-04-09T15:47:27.389Z

Link: CVE-2026-6023

cve-icon Vulnrichment

Updated: 2026-04-22T12:23:08.749Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T08:16:13.040

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-6023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses