Telerik Telerik

  1. Vendors
  2. Telerik

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Telerik product.

RSS Feeds for Telerik security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Telerik products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Telerik Sorted by Most Security Vulnerabilities since 2018

Telerik Ui For Asp Net Ajax6 vulnerabilities

Telerik Ui For Wpf6 vulnerabilities

Telerik Ui For Winforms3 vulnerabilities

Telerik Fiddler1 vulnerability

Telerik Justassembly1 vulnerability

Telerik Justdecompile1 vulnerability

Telerik Kendo Ui For Vue1 vulnerability

Telerik Kendoreact1 vulnerability

Telerik Radchart1 vulnerability

Telerik Report Server 20241 vulnerability

Telerik Ui For Silverlight1 vulnerability

Telerik Ui For Winui1 vulnerability

Known Exploited Telerik Vulnerabilities

The following Telerik vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Telerik UI for ASP.NET AJAX Insecure Direct Object Reference Vulnerability Telerik UI for ASP.NET AJAX contains an insecure direct object reference vulnerability in RadAsyncUpload that can result in file uploads in a limited location and/or remote code execution.
CVE-2017-11357 Exploit Probability: 93.8% 		January 26, 2023
Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
CVE-2017-11317 Exploit Probability: 92.0% 		April 11, 2022
Telerik UI for ASP.NET AJAX and Progress Sitefinity Cryptographic Weakness Vuln Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey.
CVE-2017-9248 Exploit Probability: 87.8% 		November 3, 2021

Of the known exploited vulnerabilities above, 3 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings.

By the Year

In 2026 there have been 0 vulnerabilities in Telerik. Last year, in 2025 Telerik had 4 security vulnerabilities published. Right now, Telerik is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 4 8.00
2024 9 8.57
2023 0 0.00
2022 0 0.00
2021 1 9.80
2020 2 8.80
2019 2 9.80
2018 1 0.00

It may take a day or so for new Telerik vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Telerik Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-11628 Feb 12, 2025
Prototype Pollution in Telerik Kendo UI Vue v2.4v6.0.1 Enables Injection In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
Kendo Ui For Vue
CVE-2025-0332 Feb 12, 2025
Telerik UI for WinForms <2025.1.211 Path Traversal in Archive Extraction In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.
Ui For Winforms
CVE-2024-12629 Feb 12, 2025
KendoReact Prototype Pollution v3.5.0-v9.4.0 Progress Telerik In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.
Kendoreact
CVE-2024-12251 Feb 12, 2025
Telerik UI for WinUI <3.0.0 Command Injection via Hyperlink Elements (CVE-2024-12251) In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.
Ui For Winui
CVE-2024-10095 Dec 16, 2024
Insecure Deserialization in Telerik UI for WPF pre-2024.4.1213 Allows Exec In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability.
Ui For Wpf
CVE-2024-10012 Nov 13, 2024
Telerik UI for WPF Insecure Deserialization Code Execution Vulnerability In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability.
Ui For Wpf
CVE-2024-10013 Nov 13, 2024
Telerik UI for WinForms Insecure Deserialization Code Execution Vulnerability In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability.
Ui For Winforms
CVE-2024-8316 Sep 25, 2024
Telerik UI for WPF <2024 Q3 insecure deserialization allows code execution In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability.
Ui For Wpf
CVE-2024-7575 Sep 25, 2024
Command Injection via Hyperlink Elements in Telerik UI for WPF <2024.3.924 In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
Ui For Wpf
CVE-2024-7576 Sep 25, 2024
Insecure Deserialization in Telerik UI for WPF (<2024 Q3) Allows Exploit In Progress Telerik UI for WPF versions prior to 2024 Q3 (2024.3.924), a code execution attack is possible through an insecure deserialization vulnerability.
Ui For Wpf
CVE-2024-7679 Sep 25, 2024
Command Injection in Telerik UI for WinForms < 2024 Q3 via Hyperlink Elements In Progress Telerik UI for WinForms versions prior to 2024 Q3 (2024.3.924), a command injection attack is possible through improper neutralization of hyperlink elements.
Ui For Wpf
CVE-2024-4358 May 29, 2024
Auth Bypass in Telerik Report Server 10.0.24.305 on IIS In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.
Report Server 2024
CVE-2024-3892 May 15, 2024
Local Code Exec in Telerik WinForms UI v2021.1.122v2024.2.513 (theme assembly) A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. This vulnerability could allow an untrusted theme assembly to execute arbitrary code on the local Windows system.
Ui For Winforms
CVE-2021-28141 Mar 11, 2021
An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224 An issue was discovered in Progress Telerik UI for ASP.NET AJAX 2021.1.224. It allows unauthorized access to MicrosoftAjax.js through the Telerik.Web.UI.WebResource.axd file. This may allow the attacker to gain unauthorized access to the server and execute code. To exploit, one must use the parameter _TSM_HiddenField_ and inject a command at the end of the URI. NOTE: the vendor states that this is not a vulnerability. The request's output does not indicate that a "true" command was executed on the server, and the request's output does not leak any private source code or data from the server
Ui For Asp Net Ajax
CVE-2020-13661 Nov 05, 2020
Telerik Fiddler through 5.0.20202.18177 Telerik Fiddler through 5.0.20202.18177 allows attackers to execute arbitrary programs via a hostname with a trailing space character, followed by --utility-and-browser --utility-cmd-prefix= and the pathname of a locally installed program. The victim must interactively choose the Open On Browser option. Fixed in version 5.0.20204.
Fiddler
CVE-2020-11414 Mar 31, 2020
An issue was discovered in Progress Telerik UI for Silverlight before 2020.1.330 An issue was discovered in Progress Telerik UI for Silverlight before 2020.1.330. The RadUploadHandler class in RadUpload for Silverlight expects a web request that provides the file location of the uploading file along with a few other parameters. The uploading file location should be inside the directory where the upload handler class is defined. Before 2020.1.330, a crafted web request could result in uploads to arbitrary locations.
Ui For Silverlight
CVE-2019-19790 Dec 13, 2019
Path traversal in RadChart in Telerik UI for ASP.NET AJAX Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a remote attacker to read and delete an image with extension .BMP, .EXIF, .GIF, .ICON, .JPEG, .PNG, .TIFF, or .WMF on the server through a specially crafted request. NOTE: RadChart was discontinued in 2014 in favor of RadHtmlChart. All RadChart versions were affected. To avoid this vulnerability, you must remove RadChart's HTTP handler from a web.config (its type is Telerik.Web.UI.ChartHttpHandler).
Radchart
Ui For Asp Net Ajax
CVE-2019-18935 Dec 11, 2019
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)
Ui For Asp Net Ajax
CVE-2018-15122 Aug 16, 2018
An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource. An issue found in Progress Telerik JustAssembly through 2018.1.323.2 and JustDecompile through 2018.2.605.0 makes it possible to execute code by decompiling a compiled .NET object (such as DLL or EXE) with an embedded resource file by clicking on the resource.
Justassembly
Justdecompile
CVE-2017-11317 Aug 23, 2017
Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Ui For Asp Net Ajax
CVE-2017-11357 Aug 23, 2017
Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Ui For Asp Net Ajax
CVE-2017-9248 Jul 03, 2017
Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise.
Ui For Asp Net Ajax
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.