Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-41553

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

Ver en NVD

Análisis

A critical pre-authentication RCE vulnerability in the DHTMLX PDF Export Module allows attackers to execute arbitrary JavaScript on the server via the data parameter. If you use DHTMLX Gantt or Scheduler with the export module, update to version 0.7.6 immediately.

Roles relevantes

JavascriptTypescriptBackendFrontend

Severidad

Puntaje: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-78

EPSS

Probabilidad de explotación (próx. 30 días): 0.0034 (0.3%)
Percentil: 56.4%
EPSS: 2026-05-25

Afecta

dhtmlx:pdf_export_module

Descripción técnica

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

Publicada: 15/5/2026, 13:16:19
Última modificación: 18/5/2026, 18:40:07

Referencias

InicioEventosBlogRecursosEquipo