CVE-2019-18935 — Progress Telerik UI for ASP.NET AJAX

known ransomware use

Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability

Added to KEV

2021-11-03

Federal due date

2022-05-03

Vendor

Progress

Product

Telerik UI for ASP.NET AJAX

EPSS

99.9th percentile (score 0.937, as of 2026-06-08)

NVD CVSS v3.1

—

Ransomware use

Known

Upstream

https://nvd.nist.gov/vuln/detail/CVE-2019-18935

CISA short description

Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.

Required action

Apply updates per vendor instructions.

EPSS percentile is the FIRST.org exploit-probability ranking as of the date noted above; it moves daily. CVSS reflects NVD's analysis at time of publication.