A cluster of severe security flaws was disclosed in the highly popular DHTMLX software suite, sending ripples through the global cybersecurity community.
Publicly disclosed on May 15, 2026, through CERT Polska, three high-impact vulnerabilities tracked as CVE-2026-7182, CVE-2026-41552, and CVE-2026-41553 threaten organizations utilizing the DHTMLX Diagram and PDF Export Modules.
Discovered and responsibly reported by security researchers Łukasz Jaworski and Tomasz Holeksa from Pentest Limited, these vulnerabilities range from arbitrary Path Traversal to unauthenticated Remote Code Execution (RCE).
With CVSS v4.0 base scores peaking at a staggering 10.0 out of 10 for the RCE flaw, these vulnerabilities pose an immediate and existential threat to unpatched enterprise servers.
By chaining these exploits or executing them in isolation, threat actors can bypass standard authentication mechanisms, read deeply sensitive internal files, and achieve total backend system compromise.
DHTMLX Vulnerability
DHTMLX is a widely utilized JavaScript library that provides software developers with rich, interactive UI components such as Gantt charts, Schedulers, and complex Diagrams.
To enhance the functionality of these frontend tools, DHTMLX offers dedicated backend export modules often powered by Node.js that allow end-users to seamlessly convert interactive web components into static, downloadable formats like PDFs and images.
Because these specialized export modules are designed to process complex data structures and render them entirely server-side, they handle significant amounts of user-supplied input. When rigorous input validation and HTML sanitization are improperly implemented, these modules transform from helpful user utilities into dangerous gateways for remote attackers.
In the case of these newly discovered CVEs, the lack of strict sanitization across multiple processing parameters has left the door wide open for malicious HTML payloads and directly injected JavaScript code.
The first vulnerability, formally identified as CVE-2026-7182, resides within the export module of the DHTMLX Diagram component. Affecting versions ranging from 1.0.0 up to and including 1.1.1, this flaw is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
The root cause of this vulnerability is the complete lack of HTML sanitization when processing the src attribute during the document export phase. When a user requests to export a diagram, the backend component fails to validate whether the provided source path is restricted to a safe, intended public directory.
Because of this architectural oversight, an unauthenticated attacker can craft a malicious HTML payload containing standard directory traversal sequences (such as ../../../). By manipulating the src attribute, the attacker can force the server-side export engine to retrieve arbitrary local files from the host server.
The contents of these sensitive internal files are then rendered and displayed directly within the generated PDF document that is returned to the attacker. This mechanism allows threat actors to silently exfiltrate database configuration files, sensitive environment variables, and cryptographic keys without ever needing a valid system account.
Running parallel to the Diagram flaw is CVE-2026-41552, a highly critical Path Traversal vulnerability boasting a CVSS v4.0 severity score of 9.2 out of 10. This flaw specifically targets the DHTMLX PDF Export Module (spanning versions 0.3.3 to 0.7.6), a backend processing service heavily relied upon by the DHTMLX Gantt and Scheduler enterprise products.
Much like the previously mentioned Diagram vulnerability, CVE-2026-41552 stems from an identical development weakness: insufficient HTML sanitization. The PDF Export Module is responsible for converting complex web-based Gantt charts and project schedules into printable documents.
However, the engine blindly accepts user-supplied HTML payloads to format the resulting PDF. An unauthenticated remote attacker can exploit this by embedding local file inclusion directives within the HTTP export request.
By injecting carefully constructed payloads, the Node.js backend processes the malicious input, fetches sensitive files from the server’s local file system, and seamlessly embeds their private contents into the final PDF output.
This creates a highly effective, stealthy data exfiltration pipeline, allowing attackers to continuously map the internal file system of the host machine and steal proprietary business data, all while appearing as standard PDF generation traffic to traditional network monitors.
While path traversal vulnerabilities are inherently dangerous, CVE-2026-41553 represents the absolute worst-case scenario for system administrators and security operations centers.
Assigned a maximum CVSS v4.0 base score of 10.0, this vulnerability is a catastrophic Remote Code Execution (RCE) flaw residing in the very same PDF Export Module (versions 0.3.3 to 0.7.6) used by Gantt and Scheduler.
Categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), this severe vulnerability shifts the attack vector from arbitrary file reading to arbitrary backend command execution. The core issue lies within the handling of the data parameter during the automated PDF generation process.
The Node.js backend processes the contents of this data parameter without implementing any form of strict input validation, data sanitization, or execution sandboxing.
Because Node.js directly interprets this parameter during processing, an unauthenticated attacker over the network can inject malicious JavaScript code directly into the payload. When the export module attempts to parse the provided data, it inadvertently executes the attacker’s injected script within the high-level context of the Node.js runtime.
The ramifications of CVE-2026-41553 are devastating. Exploitability is trivial, requiring absolutely no prior authentication, specialized privileges, or user interaction.
Once the injected JavaScript is successfully executed, the remote attacker can spawn reverse shell interfaces, install persistent malware backdoors, aggressively pivot into the internal corporate network, and achieve complete, unmitigated server compromise.
Patch and Mitigation
The discovery of these zero-day-like vulnerabilities highlights a critical need for rigorous defense-in-depth strategies, especially when deploying specialized backend processing modules that handle user-generated content. Organizations actively utilizing DHTMLX Diagram, Gantt, or Scheduler must take immediate, prioritized action to secure their infrastructure.
The software vendor has officially released patches addressing all three vulnerabilities. Administrators must execute the following remediation steps without delay:
- Update DHTMLX Diagram: Upgrade the backend Diagram export module strictly to version 1.1.1 or later to definitively resolve the CVE-2026-7182 path traversal flaw.
- Update the PDF Export Module: Upgrade the standalone PDF Export Module utilized by Gantt and Scheduler to version 0.7.6 or later. Applying this single version update patches both the CVE-2026-41552 path traversal and the critical CVE-2026-41553 RCE vulnerabilities.
- Implement Network Segmentation: Ensure that backend rendering and export modules are strictly isolated from critical internal networks. They should operate via the principle of least privilege, completely lacking read or write access to sensitive system directories or internal databases.
- Deploy Web Application Firewalls (WAF): Actively configure WAF rules and edge protections to intelligently detect and intercept anomalous HTML payloads, JavaScript injections, and directory traversal sequences (e.g.,
../) targeting external export API endpoints.
FAQ
Q: What is the most critical vulnerability recently discovered in DHTMLX?
CVE-2026-41553 is the most critical, allowing unauthenticated Remote Code Execution (RCE) with a CVSS 4.0 score of 10.0.
Q: Which DHTMLX products are explicitly affected by the PDF Export Module flaws?
The vulnerable PDF Export Module (versions 0.3.3 to 0.7.6) is predominantly used by the DHTMLX Gantt and Scheduler software products.
Q: How do the Path Traversal vulnerabilities (CVE-2026-7182 and CVE-2026-41552) actually work?
They allow unauthenticated attackers to inject malicious HTML payloads that blindly read local server files and visibly display them in generated PDFs.
Q: What is the officially recommended fix for these DHTMLX vulnerabilities?
Administrators must update the Diagram module to version 1.1.1 and the PDF Export Module to version 0.7.6 to securely patch all known flaws.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
