CVE-2026-6023 HIGH

CVE-2026-6023: Deserialization of Untrusted Data Vulnerability in Telerik UI for ASP.NET AJAX

Vendor Progress Software
Product Telerik UI for ASP.NET AJAX
Weakness CWE-502 · Unsafe deserialization
Published April 22, 2026
Last update April 23, 2026
View on NVD All CVEs

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
April 23, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-39485 WordPress GrandTour theme <= 5.6 - PHP Object Injection vulnerability CVE-2022-47599 WordPress File Manager Plugin <= 5.2.7 is vulnerable to PHP Object Injection CVE-2022-41922 yiisoft/yii before v1.1.27 vulnerable to Remote Code Execution if the application calls `unserialize()` on arbitrary user input CVE-2023-20852 aEnrich a+HRD - Deserialization of Untrusted Data CVE-2024-56058 WordPress VRPConnector plugin <= 2.0.1 - PHP Object Injection vulnerability