Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-6022EXPLOITEDPATCHED

progress · telerik ui for ajax

Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX

Description

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.

Affected Products

Vendor	Product	Versions
progress	telerik ui for ajax	2011.2.712

References

https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022(vendor-advisory)

Related News (1 articles)

Tier C

VulDB8d ago

CVE-2026-6022 | Progress Telerik UI for ASP.NET AJAX up to 2026.1.216 File Upload resource consumption

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2026.1.421

CWECWE-400

PublishedApr 22, 2026

Last enriched8d agov2

Trending Score15

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-4670EXP

Improper Authentication vulnerability in Progress MOVEit Automation

CRITICALCVE-2026-5174EXP

Improper Access Control Vulnerability in Progress MOVEit Automation

HIGHCVE-2026-3518

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

HIGHCVE-2026-4048

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

HIGHCVE-2026-3519

OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 22, 2026

Discovered by ZDM

Apr 22, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 22, 2026

Actively Exploited

Apr 22, 2026

Patch Available

Apr 22, 2026

Version History

v2

Last enriched 8d ago

v2Tier C8d ago

Updated affected versions to include 2026.1.216, changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v18d ago

Initial creation