EUVD-2026-24632
GHSA-mcrv-gh25-252c
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.
AnalysisAI
Remote code execution in Progress Telerik UI for ASP.NET AJAX via insecure deserialization in the RadFilter control allows unauthenticated remote attackers to execute arbitrary code on the server by tampering with exposed client-side filter state. Affected versions span 2024.4.1114 through 2026.1.421. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all systems running Progress Telerik UI for ASP.NET AJAX and identify which are running affected versions 2024.4.1114-2026.1.421; disable or restrict network access to RadFilter controls if possible. Within 7 days: Contact Progress Software for patch availability and ETA; implement network segmentation or WAF rules to block malicious filter state payloads targeting RadFilter endpoints. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today