External risk intelligence

DHTMLX PDF Export Module allows attackers to take control of servers.

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-41553

DHTMLX PDF Export Module flaws let anyone gain control of your servers by sending a malicious link. This critical issue impacts DHTMLX Gantt and Scheduler products.

4Halo Surface Signal

OS Command Injection

Dhtmlx Pdf Export Module

before 0.7.6

External exposure likelihood

Halo Surface Signal score for CVE-2026-41553

The vulnerable component is a server-side PDF export module embedded within web applications like DHTMLX Gantt and Scheduler. These applications are commonly deployed as public-facing web services to allow user interaction, such as viewing or exporting project plans and schedules, making the underlying PDF export functionality reachable from the internet in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in DHTMLX's PDF Export Module allows unauthenticated attackers to execute arbitrary code on the server. This happens because the module does not properly sanitize input, letting attackers inject malicious JavaScript that can then be run by the Node.js environment. This could lead to a full server compromise.

  • It affects DHTMLX Gantt and Scheduler products.
  • Attackers can achieve remote code execution.
  • This can lead to server compromise.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending a crafted request to a vulnerable DHTMLX product that utilizes the PDF Export Module. By injecting malicious JavaScript into the "data" parameter, the attacker can trigger remote code execution on the server. This could lead to a complete compromise of the affected server.

  • No authentication required.
  • Target: Server-side PDF export module.
  • Unsanitized "data" parameter.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the DHTMLX PDF export module allows unauthenticated attackers to execute arbitrary code on the server by injecting malicious JavaScript into the `data` parameter. Given the module's integration into web-facing applications like Gantt and Scheduler, and the critical nature of Remote Code Execution (RCE), attackers are likely to seek ways to exploit this. However, specific details on active exploitation are not yet widely publicized, and there are no indications of it being a known exploited vulnerability.

  • No known exploitation activity observed.
  • Not listed as a KEV.
  • Fix released recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching the DHTMLX PDF Export Module to version 0.7.6 immediately, as unauthenticated attackers can achieve remote code execution and potentially compromise servers. If immediate patching is not feasible, isolate affected services to prevent exploitation while a solution is deployed.

  • Update DHTMLX PDF Export Module to 0.7.6.
  • Isolate affected services if patching is delayed.
  • Monitor for suspicious outbound network activity.

Frequently asked questions

What is the DHTMLX PDF Export Module vulnerability and how does it work?

The DHTMLX PDF Export Module is vulnerable to Remote Code Execution (RCE) due to a failure to sanitize the "data" parameter. An unauthenticated attacker can inject malicious JavaScript, which is then processed and executed by the Node.js environment, potentially leading to server compromise. This weakness is categorized as CWE-78, which relates to OS command injection.

How can an attacker exploit the DHTMLX PDF Export Module flaw?

An attacker can exploit this flaw by sending a specially crafted request to a vulnerable DHTMLX product that uses the PDF Export Module. By injecting malicious JavaScript into the "data" parameter, the attacker can trigger remote code execution on the server, enabling a full server compromise without requiring any authentication.

What products are affected by the DHTMLX PDF Export Module vulnerability?

The vulnerability affects DHTMLX products that utilize the PDF Export Module, specifically mentioning DHTMLX Gantt and DHTMLX Scheduler. The affected versions of the PDF Export Module are all versions prior to 0.7.6.

What is the risk associated with the DHTMLX PDF Export Module RCE vulnerability?

The risk associated with this vulnerability is critical, as it allows for Remote Code Execution (RCE) by an unauthenticated attacker. This can lead to a complete compromise of the affected server, posing a significant threat to data security and system integrity. The CVSS v4.0 score for this vulnerability is 10.0.

What steps should be taken to address the DHTMLX PDF Export Module vulnerability?

The recommended action is to immediately update the DHTMLX PDF Export Module to version 0.7.6. If immediate patching is not possible, affected services should be isolated to prevent exploitation while a permanent solution is implemented. Monitoring for suspicious outbound network activity is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified