CVE-2026-6023 PUBLISHED

Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX

Assigner: ProgressSoftware
Reserved: 09.04.2026 Published: 22.04.2026 Updated: 22.04.2026

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Progress Software
Product	Telerik UI for ASP.NET AJAX
Versions	Default: unaffected affected from 2024.4.1114 to 2026.1.421 (excl.)

References

https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023

Problem Types

CWE-502 Deserialization of Untrusted Data CWE

Impacts

CAPEC-586 Object Injection