CVE-2026-41553 CRITICAL

CVE-2026-41553: Remote Code Execution in PDF Export Module

Vendor Dhtmlx

Product PDF Export Module

Weakness CWE-78

Published May 15, 2026

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

Key dates

02Disclosure timeline

May 15, 2026 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-41553 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2026-41553: Remote Code Execution in PDF Export Module

01Description

02Disclosure timeline

03References

04Related CVE