CVE-2026-2878 MEDIUM

CVE-2026-2878: Insufficient Entropy Vulnerability in Telerik UI for ASP.NET AJAX

Vendor Progress Software
Product Telerik UI for ASP.NET AJAX
Weakness CWE-331
Published February 25, 2026
Last update February 27, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 27, 2026 Record updated