PatchSiren

DHTMLX CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL DHTMLX CVE published 2026-05-15

CVE-2026-41553

CVE-2026-41553 is a critical remote code execution issue in DHTMLX’s PDF Export Module, which is used in DHTMLX Gantt and Scheduler. According to NVD and the referenced vendor materials, an unauthenticated attacker can supply malicious content through the "data" parameter, where it is processed by Node.js and executed. The issue was fixed in PDF Export Module version 0.7.6. Because the flaw is network-rea [truncated]

CRITICAL DHTMLX CVE published 2026-05-15

CVE-2026-41552

A critical path traversal vulnerability exists in DHTMLX's PDF Export Module, affecting versions from 0.3.3 through 0.7.5. The flaw stems from insufficient HTML sanitization in the PDF generation process, allowing unauthenticated remote attackers to embed malicious HTML payloads that can read arbitrary local files from the server and include their contents in generated PDF documents. The vulnerability was [truncated]