Vendor
Progress (organisation)
Progress is a political organisation associated with the British Labour Party, founded in 1996 to support the New Labour leadership of Tony Blair. It is seen as being on the right of the party.
Founded 1996
Products
19
CVEs
66
Across products
165
Status
Private
Products
19- 71 CVEs
- 20 CVEs
- 18 CVEs
- 17 CVEs
- 7 CVEs
- 5 CVEs
- 4 CVEs
- 4 CVEs
- 4 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
66| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-11357 | Cri | 0.92 | 9.8 | 0.94 | KEV | Aug 23, 2017 | Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not properly restrict user input to RadAsyncUpload, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code. |
| CVE-2017-9248 | Cri | 0.86 | 9.8 | 0.89 | KEV | Jul 3, 2017 | Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2017 SP1 and Sitefinity before 10.0.6412.0 does not properly protect Telerik.Web.UI.DialogParametersEncryptionKey or the MachineKey, which makes it easier for remote attackers to defeat cryptographic protection mechanisms, leading to a MachineKey leak, arbitrary file uploads or downloads, XSS, or ASP.NET ViewState compromise. |
| CVE-2026-2699 | Cri | 0.67 | 9.8 | 0.42 | Apr 2, 2026 | Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution. | |
| CVE-2015-8261 | Cri | 0.67 | 9.8 | 0.04 | Jan 8, 2016 | The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request. | |
| CVE-2026-4670 | Cri | 0.64 | 9.8 | 0.00 | Apr 30, 2026 | Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | |
| CVE-2015-9245 | Cri | 0.64 | 9.8 | 0.00 | Oct 31, 2017 | Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via port 20931. | |
| CVE-2026-2701 | Cri | 0.59 | 9.1 | 0.01 | Apr 2, 2026 | Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution. | |
| CVE-2026-3692 | Hig | 0.57 | 8.8 | 0.00 | Apr 2, 2026 | In Progress Flowmon versions prior to 12.5.8, a vulnerability exists whereby an authenticated low-privileged user may craft a request during the report generation process that results in unintended commands being executed on the server. | |
| CVE-2026-4048 | Hig | 0.55 | 8.4 | 0.00 | Apr 20, 2026 | OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process. | |
| CVE-2026-3519 | Hig | 0.55 | 8.4 | 0.00 | Apr 20, 2026 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command | |
| CVE-2026-3518 | Hig | 0.55 | 8.4 | 0.00 | Apr 20, 2026 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command | |
| CVE-2026-3517 | Hig | 0.55 | 8.4 | 0.00 | Apr 20, 2026 | OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “Geo Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'addcountry' command | |
| CVE-2026-6023 | Hig | 0.53 | 8.1 | 0.00 | Apr 22, 2026 | In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible. | |
| CVE-2026-5174 | Hig | 0.50 | 7.7 | 0.00 | Apr 30, 2026 | Improper input validation vulnerability in Progress Software MOVEit Automation allows Privilege Escalation. This issue affects MOVEit Automation: from 2025.1.0 before 2025.1.5, from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0. | |
| CVE-2026-6022 | Hig | 0.49 | 7.5 | 0.00 | Apr 22, 2026 | In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion. | |
| CVE-2017-1000026 | Hig | 0.49 | 7.5 | 0.00 | Jul 17, 2017 | Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable to a directory traversal attack allowing attackers to overwrite arbitrary files by using ".." in tar archive entries | |
| CVE-2015-6005 | Med | 0.45 | 6.9 | 0.00 | Dec 27, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to inject arbitrary web script or HTML via (1) an SNMP OID object, (2) an SNMP trap message, (3) the View Names field, (4) the Group Names field, (5) the Flow Monitor Credentials field, (6) the Flow Monitor Threshold Name field, (7) the Task Library Name field, (8) the Task Library Description field, (9) the Policy Library Name field, (10) the Policy Library Description field, (11) the Template Library Name field, (12) the Template Library Description field, (13) the System Script Library Name field, (14) the System Script Library Description field, or (15) the CLI Settings Library Description field. | |
| CVE-2015-6004 | Med | 0.43 | 6.5 | 0.11 | Dec 27, 2015 | Multiple SQL injection vulnerabilities in IPSwitch WhatsUp Gold before 16.4 allow remote attackers to execute arbitrary SQL commands via (1) the UniqueID (aka sUniqueID) parameter to WrFreeFormText.asp in the Reports component or (2) the Find Device parameter. | |
| CVE-2026-2737 | Med | 0.40 | 6.1 | 0.00 | Apr 2, 2026 | A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session. | |
| CVE-2017-9140 | Med | 0.40 | 6.1 | 0.05 | May 22, 2017 | Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 (11.0.17.406) allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. |