PatchSiren cyber security CVE debrief
CVE-2026-41553 DHTMLX CVE debrief
CVE-2026-41553 is a critical remote code execution issue in DHTMLX’s PDF Export Module, which is used in DHTMLX Gantt and Scheduler. According to NVD and the referenced vendor materials, an unauthenticated attacker can supply malicious content through the "data" parameter, where it is processed by Node.js and executed. The issue was fixed in PDF Export Module version 0.7.6. Because the flaw is network-reachable and requires no authentication or user interaction, it should be treated as an immediate patching priority.
- Vendor
- DHTMLX
- Product
- PDF Export Module
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations that deploy DHTMLX Gantt or Scheduler with the PDF Export Module, especially any internet-facing or server-side PDF export workflows. Security teams, application owners, and platform operators should also care if Node.js-based export services are exposed to untrusted input.
Technical summary
NVD classifies the issue as CWE-78 and maps affected software to cpe:2.3:a:dhtmlx:pdf_export_module:* with vulnerable versions ending before 0.7.6. The vulnerability description says the export module lacks sanitization of the "data" parameter, allowing attacker-controlled JavaScript to reach Node.js execution. NVD assigns a CVSS v4.0 vector indicating network attack, low complexity, no privileges, no user interaction, and high impacts to confidentiality, integrity, and availability.
Defensive priority
Immediate. This is a CVSS 10.0 unauthenticated RCE with a vendor-fixed version available.
Recommended defensive actions
- Upgrade DHTMLX PDF Export Module to version 0.7.6 or later as soon as possible.
- Inventory any applications using DHTMLX Gantt or Scheduler with PDF export enabled, including custom integrations and self-hosted export services.
- Restrict exposure of export endpoints to trusted networks while remediation is underway.
- Treat any server-side Node.js process handling untrusted export input as high risk and review surrounding hardening and monitoring.
- Validate that deployed builds actually include the fixed module version; do not rely on application version numbers alone.
- Check application logs and proxy logs for suspicious requests involving the export "data" parameter.
- If immediate upgrading is not possible, apply compensating controls such as access restrictions and temporary feature disablement where feasible.
Evidence notes
The debrief is based only on the supplied NVD record and referenced official/vendor links. NVD states the vulnerability is in DHTMLX PDF Export Module, used by Gantt and Scheduler, and that versions before 0.7.6 are affected. The record cites CWE-78 and a CVSS 4.0 vector with AV:N/AC:L/AT:N/PR:N/UI:N and high confidentiality, integrity, and availability impact. The referenced CERT.PL advisory and DHTMLX release notes are the only supplied supporting links for remediation context. The CERT.PL URL path includes a different CVE number than the NVD entry; this appears to be a source-mapping detail that should be verified against the advisory text.
Official resources
-
CVE-2026-41553 CVE record
CVE.org
-
CVE-2026-41553 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Release Notes
CVE published by NVD on 2026-05-15T13:16:19.130Z and last modified on 2026-05-18T18:40:07.417Z, based on the supplied timeline.