CVE-2026-41553

UNKNOWN 0.0

Remote Code Execution in PDF Export Module

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

CWE	CWE-78
Vendor	dhtmlx
Product	pdf export module
Published	May 15, 2026
Last Updated	May 15, 2026

Stay Ahead of the Next One

Get instant alerts for dhtmlx pdf export module

Be the first to know when new unknown vulnerabilities affecting dhtmlx pdf export module are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

DHTMLX / PDF Export Module

0.3.3 < 0.7.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-7182 docs.dhtmlx.com: https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities

Credits

Łukasz Jaworski (Pentest Limited) Tomasz Holeksa (Pentest Limited)