CVE-2026-2878 Progress — Exploit & Vulnerability Details MEDIUM

CVE-2026-2878

MEDIUM CVSS 3.1: 5.9 EPSS 0.01%

Parameter	Value
CVSS	5.9 (MEDIUM)
Affected Versions	before 2026.1.225
Fixed In	2026.1.225
Type	CWE-331
Vendor	Progress
Public PoC	No

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

High

Difficult to exploit

Privileges Required

None

No privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

None

No data leak

Integrity

High

Complete data modification

Availability

None

No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-331

Vulnerable Products 1

Configuration	From (including)	Up to (excluding)
Progress Telerik_Ui_For_Asp.Net_Ajax cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax::::::::	—	`2026.1.225`

References 1

https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-se…

security@progress.com

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-3692

Progress

8.7

CVE-2025-11235

Progress

7.5

CVE-2025-10703

Progress

8.6

CVE-2025-10702

Progress

8.6

CVE-2024-6097

Progress

5.3

Menu

CVE-2026-2878

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 1

Related Vulnerabilities

CVE-2026-3692

CVE-2025-11235

CVE-2025-10703

CVE-2025-10702

CVE-2024-6097

CVE Details

Editor's Choice

Menu

CVE-2026-2878

Attack Parameters

Impact Assessment

CVSS Vector v3.1

Weakness Type (CWE)

Vulnerable Products 1

References 1

Related Vulnerabilities

CVE-2026-3692

CVE-2025-11235

CVE-2025-10703

CVE-2025-10702

CVE-2024-6097

CVE Details

Editor's Choice

Stay informed on cybersecurity