{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6022", "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "state": "PUBLISHED", "assignerShortName": "ProgressSoftware", "dateReserved": "2026-04-09T15:47:25.214Z", "datePublished": "2026-04-22T07:07:30.795Z", "dateUpdated": "2026-04-22T07:07:30.795Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05", "shortName": "ProgressSoftware", "dateUpdated": "2026-04-22T07:07:30.795Z"}, "title": "Uncontrolled Resource Consumption Vulnerability in Telerik UI for ASP.NET AJAX", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-572", "descriptions": [{"lang": "en", "value": "CAPEC-572 Artificially Inflate File Sizes"}]}], "affected": [{"vendor": "Progress Software", "product": "Telerik UI for ASP.NET AJAX", "versions": [{"status": "affected", "version": "2011.2.712", "lessThan": "2026.1.421", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In Progress\u00ae Telerik\u00ae UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.</p>"}]}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "Monetary Authority of Singapore", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Progress\u00ae Telerik\u00ae UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion."}], "id": "CVE-2026-6022", "lastModified": "2026-04-22T08:16:12.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@progress.com", "type": "Secondary"}]}, "published": "2026-04-22T08:16:12.903", "references": [{"source": "security@progress.com", "url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022"}], "sourceIdentifier": "security@progress.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@progress.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T08:51:08.136905+00:00", "value": {"mitigation_remediation": ["Upgrade to Telerik UI for ASP.NET AJAX 2026.1.421 or later", "If a patch is not immediately available, remove or disable the RadAsyncUpload control to prevent file uploads", "Configure the web server (e.g., IIS request filtering) to reject uploads exceeding the maximum allowed size before reaching the application"], "summary": {"action": "Patch", "impact": "Uncontrolled Disk Space Exhaustion Leads to Denial of Service"}, "threat_synthesis": {"affected_systems": "Progress Software\u2019s Telerik UI for ASP.NET AJAX, versions earlier than 2026.1.421, are affected. Users running the RadAsyncUpload control in these releases should verify their installed version against this requirement.", "description_and_impact": "The vulnerability resides in the RadAsyncUpload component of Telerik UI for ASP.NET AJAX before version 2026.1.421. It allows users to upload files whose cumulative size is not properly checked during chunk reassembly, permitting uploads that exceed the configured maximum. This flaw can exhaust the hosting environment\u2019s disk space, potentially rendering the web application and related services unavailable.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity. Although an EPSS score is not provided, the lack of a known exploit in the KEV catalog suggests moderate exploitation likelihood. The attack is likely feasible over the public network via file upload functionality, as the flaw is triggered by submitting oversized uploads to the RadAsyncUpload endpoint."}}}}, "created": "2026-04-22T09:00:09.438506+00:00", "updated": "2026-04-22T09:00:09.438541+00:00", "vendors": []}