CVE-2026-6023
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-04-22
CWE-502
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| progress | telerik_ui_for_asp.net_ajax | 2024.4.1114 - 2026.1.421 |
References
- www.telerik.com (Mitigation, Vendor Advisory)