Remote Code Execution in DHTMLX Gantt and Scheduler PDF Export Module
CVE-2026-41553

10CRITICAL

Key Information:

Vendor: Dhtmlx
Status: PDF Export Module
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-41553?

The PDF Export Module in DHTMLX's Gantt and Scheduler products is susceptible to a Remote Code Execution vulnerability due to insufficient sanitization of the 'data' parameter. This flaw allows unauthenticated attackers to inject malicious JavaScript code, which is processed by Node.js and executed on the server. If exploited, an attacker could potentially gain control over the server, leading to serious security breaches. This vulnerability has been addressed in the PDF Export Module version 0.7.6.

Affected Version(s)

PDF Export Module 0.3.3 < 0.7.6

References

https://cert.pl/en/posts/2026/05/CVE-2026-7182

third-party-advisory

https://docs.dhtmlx.com/gantt/guides/pdf-export-module-wh...

release-notes

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Łukasz Jaworski (Pentest Limited)

Tomasz Holeksa (Pentest Limited)

CVE-2026-41553 Data

JSON

Dhtmlx

What is CVE-2026-41553?

Affected Version(s)

References

CVSS V4

Timeline

Credit