CVE-2026-6022 HIGH

CVE-2026-6022: Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

Vendor Progress Software
Product Telerik UI for ASP.NET AJAX
Weakness CWE-400
Published April 22, 2026
Last update April 22, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated