CVE-2026-41553

CRITICAL

Remote Code Execution in PDF Export Module

Title source: cna

Description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://cert.pl/en/posts/2026/05/CVE-2026-7182

Release Notes release-notes

https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities

Scores

CVSS v3 10.0

EPSS 0.0065

EPSS Percentile 46.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

DHTMLX/PDF Export Module 0.3.3 - 0.7.6

dhtmlx/pdf_export_module < 0.7.6

Published May 15, 2026

Tracked Since May 15, 2026