CVE-2026-2878 | THREATINT

Description

In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering.

PUBLISHED Reserved 2026-02-20 | Published 2026-02-25 | Updated 2026-02-25 | Assigner ProgressSoftware

MEDIUM: 5.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Problem types

CWE-331 Insufficient Entropy

Product status

Default status

unaffected

2011.2.712 (custom) before 2026.1.225

affected

Credits

Monetary Authority of Singapore finder

References

www.telerik.com/...curity-insufficient-entropy-cve-2026-2878 vendor-advisory

cve.org (CVE-2026-2878)

nvd.nist.gov (CVE-2026-2878)

Download JSON