Filtered by vendor Progress
Subscribe
Total
223 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-2878 | 1 Progress | 1 Telerik Ui For Asp.net Ajax | 2026-02-26 | N/A | 5.3 MEDIUM |
| In Progress® Telerik® UI for AJAX, versions prior to 2026.1.225, an insufficient entropy vulnerability exists in RadAsyncUpload, where a predictable temporary identifier, based on timestamp and filename, can enable collisions and file content tampering. | |||||
| CVE-2024-1212 | 1 Progress | 1 Loadmaster | 2026-02-26 | N/A | 10.0 CRITICAL |
| Unauthenticated remote attackers can access the system through the LoadMaster management interface, enabling arbitrary system command execution. | |||||
| CVE-2025-13444 | 1 Progress | 5 Connection Manager For Objectscale, Ecs Connection Manager, Loadmaster and 2 more | 2026-02-13 | N/A | 8.4 HIGH |
| OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | |||||
| CVE-2025-13447 | 1 Progress | 5 Connection Manager For Objectscale*, Ecs Connection Manager, Loadmaster and 2 more | 2026-02-10 | N/A | 8.4 HIGH |
| OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters | |||||
| CVE-2025-13774 | 1 Progress | 1 Flowmon Anomaly Detection System | 2026-02-05 | N/A | 8.8 HIGH |
| A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. | |||||
| CVE-2025-11235 | 1 Progress | 1 Moveit Transfer | 2026-02-03 | N/A | 3.7 LOW |
| Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. | |||||
| CVE-2025-13147 | 1 Progress | 1 Moveit Transfer | 2025-11-24 | N/A | 5.3 MEDIUM |
| Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4. | |||||
| CVE-2024-8048 | 1 Progress | 1 Telerik Reporting | 2025-11-03 | N/A | 7.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. | |||||
| CVE-2024-8014 | 1 Progress | 1 Telerik Reporting | 2025-11-03 | N/A | 8.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. | |||||
| CVE-2024-7840 | 1 Progress | 1 Telerik Reporting | 2025-11-03 | N/A | 7.8 HIGH |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. | |||||
| CVE-2023-40044 | 1 Progress | 1 Ws Ftp Server | 2025-10-31 | N/A | 10.0 CRITICAL |
| In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system. | |||||
| CVE-2024-4885 | 1 Progress | 1 Whatsup Gold | 2025-10-31 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The WhatsUp.ExportUtilities.Export.GetFileWithoutZip allows execution of commands with iisapppool\nmconsole privileges. | |||||
| CVE-2024-6670 | 1 Progress | 1 Whatsup Gold | 2025-10-31 | N/A | 9.8 CRITICAL |
| In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password. | |||||
| CVE-2023-34362 | 1 Progress | 2 Moveit Cloud, Moveit Transfer | 2025-10-27 | N/A | 9.8 CRITICAL |
| In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. | |||||
| CVE-2017-9248 | 2 Progress, Telerik | 2 Sitefinity, Ui For Asp.net Ajax | 2025-10-22 | 7.5 HIGH | 9.8 CRITICAL |
| Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. | |||||
| CVE-2025-6504 | 2 Linux, Progress | 2 Linux Kernel, Hybrid Data Pipeline | 2025-10-02 | N/A | 8.4 HIGH |
| In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access. | |||||
| CVE-2025-6505 | 2 Linux, Progress | 2 Linux Kernel, Hybrid Data Pipeline | 2025-10-02 | N/A | 8.1 HIGH |
| Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. | |||||
| CVE-2025-3600 | 1 Progress | 1 Telerik Ui For Asp.net Ajax | 2025-09-30 | N/A | 7.5 HIGH |
| In Progress® Telerik® UI for AJAX, versions 2011.2.712 to 2025.1.218, an unsafe reflection vulnerability exists that may lead to an unhandled exception resulting in a crash of the hosting process and denial of service. | |||||
| CVE-2024-6576 | 1 Progress | 1 Moveit Transfer | 2025-08-01 | N/A | 7.3 HIGH |
| Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3. | |||||
| CVE-2025-1758 | 1 Progress | 2 Loadmaster, Multi-tenant Loadmaster | 2025-07-31 | N/A | 4.3 MEDIUM |
| Improper Input Validation vulnerability in Progress LoadMaster allows : Buffer OverflowThis issue affects: * LoadMaster: 7.2.40.0 and above * ECS: All versions * Multi-Tenancy: 7.1.35.4 and above | |||||