Aggregates CVE and security vulnerability intelligence across all Progress Software-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk ssrf, vendor risk csrf, and vendor risk buffer overflow and related problems; some flaws may lead to vendor impact application crash and vendor impact memory corruption.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-2699 | Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution. | [email protected] | 9.8 | 32.03% | 2026-04-02 | 2026-04-21 |
| CVE-2026-2878 | In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering. | [email protected] | 5.3 | 0.03% | 2026-02-25 | 2026-02-26 |
| CVE-2025-13447 | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | [email protected] | 8.4 | 0.13% | 2026-01-13 | 2026-02-10 |
| CVE-2025-13444 | OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | [email protected] | 8.4 | 0.05% | 2026-01-13 | 2026-02-13 |
| CVE-2025-13774 | A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | [email protected] | 8.8 | 0.02% | 2026-01-13 | 2026-02-05 |
| CVE-2025-11235 | Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. | [email protected] | 3.7 | 0.02% | 2026-01-07 | 2026-02-03 |
| CVE-2025-13147 | Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. | [email protected] | 5.3 | 0.01% | 2025-11-19 | 2025-11-24 |
| CVE-2025-6505 | Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. | [email protected] | 8.1 | 0.18% | 2025-07-29 | 2025-10-02 |
| CVE-2025-6504 | In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access. | [email protected] | 8.4 | 0.07% | 2025-07-29 | 2025-10-02 |
| CVE-2025-3600 | In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service. | [email protected] | 7.5 | 0.60% | 2025-05-14 | 2025-09-30 |
| CVE-2025-2572 | In WhatsUp Gold versions released before 2024.0.3, a database manipulation vulnerability allows an unauthenticated attacker to modify the contents of WhatsUp.dbo.WrlsMacAddressGroup. | [email protected] | 5.6 | 0.00% | 2025-04-14 | 2025-07-17 |
| CVE-2025-2324 | Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2. | [email protected] | 5.9 | 0.12% | 2025-03-19 | 2025-07-31 |
| CVE-2025-1758 | Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above | [email protected] | 4.3 | 0.50% | 2025-03-19 | 2025-07-31 |
| CVE-2024-6097 | In Progress® Telerik® Reporting versions prior to 2025 Q1 (19.0.25.211), information disclosure is possible by a local threat actor through an absolute path vulnerability. | [email protected] | 5.3 | 0.05% | 2025-02-12 | 2025-02-24 |
| CVE-2024-11629 | In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF. | [email protected] | 7.1 | 0.76% | 2025-02-12 | 2025-02-19 |
| CVE-2024-11628 | In Progress® Telerik® Kendo UI for Vue versions v2.4.0 through v6.0.1, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | [email protected] | 4.1 | 0.07% | 2025-02-12 | 2025-06-27 |
| CVE-2025-0556 | In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can be subjected to local network traffic sniffing. | [email protected] | 8.8 | 0.08% | 2025-02-12 | 2025-02-20 |
| CVE-2025-0332 | In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory. | [email protected] | 7.8 | 0.19% | 2025-02-12 | 2025-07-03 |
| CVE-2024-12629 | In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection. | [email protected] | 4.1 | 0.05% | 2025-02-12 | 2025-06-27 |
| CVE-2024-11343 | In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), unzipping an archive can lead to arbitrary file system access. | [email protected] | 8.3 | 0.30% | 2025-02-12 | 2025-02-20 |