Path Traversal Vulnerability in DHTMLX Diagram by DHTMLX
CVE-2026-7182

9.2CRITICAL

Key Information:

Vendor: Dhtmlx
Status: Diagram
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-7182?

A vulnerability in DHTMLX Diagram's export module allows for path traversal attacks due to insufficient HTML sanitization in the src attribute. This flaw enables an unauthenticated user to craft malicious HTML payloads that can access and display sensitive local files from the server in generated PDF documents. The issue has been resolved in version 1.1.1, highlighting the importance of maintaining updated software to mitigate potential risks.

Affected Version(s)

Diagram 1.0.0 < 1.1.1

References

https://cert.pl/en/posts/2026/05/CVE-2026-7182

third-party-advisory

https://docs.dhtmlx.com/diagram/whats_new/#version-612

release-notes

https://dhtmlx.com/docs/products/dhtmlxDiagram/

product

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 27, 2026

Credit

Łukasz Jaworski (Pentest Limited)

Tomasz Holeksa (Pentest Limited)

CVE-2026-7182 Data

JSON

Dhtmlx

What is CVE-2026-7182?

Affected Version(s)

References

CVSS V4

Timeline

Credit