Which versions of DHTMLX PDF Export Module are affected by CVE-2026-41553?

DHTMLX PDF Export Module (versions prior to 0.7.6) contains a critical unauthenticated remote code execution vulnerability affecting Node.js backend servers used by Gantt and Scheduler applications.. A patch is available.

DHTMLX PDF Export Module CVE-2026-41553

Q: What is the CVSS score of CVE-2026-41553?

CVE-2026-41553 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-30537 CRITICAL

OS Command Injection (CWE-78)

2026-05-15 CERT-PL

GHSA-qc73-55rc-fgph

RCE Command Injection Node.js

10.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 15, 2026 - 14:02 EUVD

Analysis Generated

May 15, 2026 - 13:30 vuln.today

CVSS changed

May 15, 2026 - 13:22 NVD

10.0 (CRITICAL)

CVE Published

May 15, 2026 - 12:31 nvd

CRITICAL 10.0

DescriptionNVD

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise.

This issue was fixed in PDF Export Module version 0.7.6.

AnalysisAI

Remote code execution in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows unauthenticated attackers to inject malicious JavaScript into unsanitized 'data' parameter, achieving arbitrary code execution on Node.js backend servers. Critical vulnerability (CVSS 4.0: 10.0) with complete system compromise potential affecting server confidentiality, integrity, and availability. …

RemediationAI

Within 24 hours: Identify all applications and servers using DHTMLX PDF Export Module and document current versions; implement network-level restrictions to limit access to affected APIs. Within 7 days: Upgrade DHTMLX PDF Export Module to version 0.7.6 or later across all production and non-production environments; validate functionality post-upgrade. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41553 vulnerability details – vuln.today

Back

DHTMLX PDF Export Module CVE-2026-41553

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

DHTMLX PDF Export Module CVE-2026-41553

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code