CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-41553

CVSS 10.0v4.0pub. 2026-05-15upd. 2026-05-18

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

🤖 AI Analysis
How it works

The vulnerability results from the lack of validation and sanitization of the 'data' parameter value passed to the PDF Export Module. An attacker can inject malicious JavaScript code, which is then processed and executed by the Node.js environment on the server side. This is a classic case of command injection (CWE-78) — an unauthenticated remote user can provide a specially crafted payload without any additional prerequisites.

Impact

Successful exploitation of the vulnerability leads to complete server compromise, including the ability to execute arbitrary system commands with Node.js process privileges. An attacker can read system files, install malicious software, or conduct further lateral movement in the network.

Mitigation & patch

The PDF Export Module must be immediately updated to version 0.7.6 or later, in which the RCE vulnerability and file read vulnerability have been removed. Update information is available in the DHTMLX vendor documentation (PDF Export module changelog).

Who is affected

PDF Export Module (DHTMLX component) in versions prior to 0.7.6, used in DHTMLX Gantt and DHTMLX Scheduler products.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dhtmlx Pdf Export Module

    APP
    Dhtmlx
    < 0.7.6
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
RCEAuth BypassCommand Injection
CWE
References

Related vulnerabilities

CVE-2026-41552CRITICAL9.2PL ✓ten sam produkt

Path Traversal w PDF Export Module DHTMLX Gantt i Scheduler

CVE-2024-55213MEDIUM6.5ten sam vendor

Directory Traversal vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive i...

CVE-2024-55214MEDIUM6.5ten sam vendor

Local File Inclusion vulnerability in dhtmlxFileExplorer v.8.4.6 allows a remote attacker to obtain sensitive ...

CVE-2013-6281MEDIUM4.3ten sam vendor

Cross-site scripting (XSS) vulnerability in codebase/spreadsheet.php in the Spreadsheet (dhtmlxSpreadsheet) pl...