Description
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise.

This issue was fixed in PDF Export Module version 0.7.6.
Published: 2026-05-15
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PDF Export Module in DHTMLX's Gantt and Scheduler products fails to sanitize the 'data' parameter, allowing an unauthenticated attacker to inject malicious JavaScript that is processed and executed by Node.js. This flaw maps to CWE‑78 and can result in full server compromise, granting the attacker complete control over the affected host. The vulnerability is explicitly stated to allow remote code execution through the data parameter, and the description assigns sufficient technical detail to confirm the attack vector. No other mitigations are intrinsically present, so exploitation requires only the malformed input.

Affected Systems

Affected systems are installations of the DHTMLX PDF Export Module, which is used by the Gantt and Scheduler components. Any deployment that is still using a version prior to 0.7.6 is vulnerable; the fix was released in version 0.7.6. Consumers of the module should upgrade to 0.7.6 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score of 10.0 denotes a critical severity, and while the EPSS score is not available, the absence of an exploitable public proof of concept means that overall exploitation likelihood could be lower, yet the potential impact is extreme. The vulnerability is not listed in the CISA KEV catalog, implying no active exploitation reports at the time of this analysis. Attackers could target the export endpoint directly over the network, with no authentication required, to leverage the injection flaw and execute arbitrary code on the server.

Generated by OpenCVE AI on May 15, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PDF Export Module version 0.7.6 or newer to all DHTMLX Gantt and Scheduler installations.
  • Upgrade any DHTMLX product that incorporates the PDF Export Module to the latest release that contains the patched module version.
  • If an immediate upgrade is not feasible, restrict the PDF Export Module endpoint to authenticated users or block external access using firewall or site‑level controls.

Generated by OpenCVE AI on May 15, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 15 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.
Title Remote Code Execution in PDF Export Module
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-15T13:13:14.917Z

Reserved: 2026-04-21T12:09:57.293Z

Link: CVE-2026-41553

cve-icon Vulnrichment

Updated: 2026-05-15T13:13:11.469Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-15T13:16:19.130

Modified: 2026-05-15T14:12:43.710

Link: CVE-2026-41553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T14:45:16Z

Weaknesses