Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-41553: DHTMLX Gantt and Scheduler PDF Export Remote Code Execution
CVE-2026-41553
Summary
An attacker can inject malicious code into the PDF export feature of DHTMLX Gantt and Scheduler, potentially taking control of the server. This is a serious risk because it allows an unauthenticated attacker to execute code on the server. To protect against this, update to version 0.7.6 or later of the PDF Export Module.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| dhtmlx | pdf_export_module |
< 0.7.6 cpe:2.3:a:dhtmlx:pdf_export_module:*:*:*:*:*:*:*:* |
Original title
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malic...
Original description
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise.
This issue was fixed in PDF Export Module version 0.7.6.
This issue was fixed in PDF Export Module version 0.7.6.
nvd CVSS4.0
10.0
Vulnerability type
CWE-78
OS Command Injection
Published: 15 May 2026 · Updated: 28 May 2026 · First seen: 15 May 2026