CVE-2026-6023

Analyzed Analyzed - Analysis Complete

Insecure Deserialization in Telerik RadFilter Enables RCE

Publication date: 2026-04-22

Last updated on: 2026-05-05

Assigner: Progress Software Corporation

Description

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-22

Last Modified

2026-05-05

Generated

2026-05-09

EPSS Evaluated

2026-05-07

NVD

CVE-2026-6023

EUVD

EUVD-2026-24632

Affected Vendors & Products

Vendor	Product	Version / Range
progress	telerik_ui_for_asp.net_ajax	From 2024.4.1114 (inc) to 2026.1.421 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-502	The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2026-6023

Insecure Deserialization in Telerik RadFilter Enables RCE

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

Ask Our AI Assistant

EPSS Chart