Which versions of DHTMLX Diagram are affected by CVE-2026-7182?

DHTMLX Diagram versions prior to 1.1.1 contain a critical path traversal vulnerability in the export module that allows unauthenticated attackers to extract sensitive server files and embed them into…. A patch is available.

DHTMLX Diagram CVE-2026-7182

Q: What is the CVSS score of CVE-2026-7182?

CVE-2026-7182 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-30539 CRITICAL

Path Traversal (CWE-22)

2026-05-15 CERT-PL

GHSA-hr7c-pw36-w99g

Path Traversal

9.2

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 15, 2026 - 14:02 EUVD

Analysis Generated

May 15, 2026 - 13:30 vuln.today

CVSS changed

May 15, 2026 - 13:22 NVD

9.2 (CRITICAL)

CVE Published

May 15, 2026 - 12:31 nvd

CRITICAL 9.2

DescriptionNVD

Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf.

This issue was fixed in version 1.1.1.

AnalysisAI

Path traversal in DHTMLX Diagram's export module allows remote unauthenticated attackers to exfiltrate local server files through crafted HTML payloads in the src attribute. The vulnerability exposes high-value server-side information (CVSS VC:H, SC:H) by embedding local files into generated PDFs without requiring authentication (PR:N) or user interaction (UI:N). …

RemediationAI

Within 24 hours: Identify all systems running DHTMLX Diagram and isolate or disable the export functionality until patching is complete. Within 7 days: Upgrade DHTMLX Diagram to version 1.1.1 or later across all production and development environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7182 vulnerability details – vuln.today

Back

DHTMLX Diagram CVE-2026-7182

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

DHTMLX Diagram CVE-2026-7182

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code