CRITICALCVE-2026-41553Published 2026-05-15Modified 2026-05-15CNA CERT-PL

CVE-2026-41553: Remote Code Execution in PDF Export Module

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: 0.7.6
Affected Products: 1

Fix available

0.7.6

Affected packages

DHTMLX / PDF Export Module
< 0.7.6 (from 0.3.3)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

cert.pl
docs.dhtmlx.com

Metrics

Fix available