Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-41553

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

View on NVD

Analysis

A critical pre-authentication RCE vulnerability in the DHTMLX PDF Export Module allows attackers to execute arbitrary JavaScript on the server via the data parameter. If you use DHTMLX Gantt or Scheduler with the export module, update to version 0.7.6 immediately.

Relevant roles

JavascriptTypescriptBackendFrontend

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-78

EPSS

Probability of exploitation (next 30 days): 0.0034 (0.3%)
Percentile: 56.4%
EPSS: 2026-05-25

Affects

dhtmlx:pdf_export_module

Technical description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

Published: 5/15/2026, 1:16:19 PM
Last modified: 5/18/2026, 6:40:07 PM

References

HomeEventsBlogResourcesTeam