Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf.
This issue was fixed in version 1.1.1.
AnalysisAI
Path traversal in DHTMLX Diagram's export module allows remote unauthenticated attackers to exfiltrate local server files through crafted HTML payloads in the src attribute. The vulnerability exposes high-value server-side information (CVSS VC:H, SC:H) by embedding local files into generated PDFs without requiring authentication (PR:N) or user interaction (UI:N). DHTMLX released a fix in version 1.1.1, confirmed by CERT-PL advisory and vendor changelog.
Technical ContextAI
DHTMLX Diagram is a JavaScript diagramming library (cpe:2.3:a:dhtmlx:diagram) that includes server-side PDF export functionality. The vulnerability exists in the export module's HTML processing where user-supplied src attributes are not sanitized before server-side rendering. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) flaw. When the export module processes diagram data containing HTML elements with file:// or absolute path references in src attributes, it resolves these paths on the server filesystem rather than treating them as untrusted content. The rendered PDF then embeds the contents of these local files, effectively weaponizing the PDF generation feature as a file disclosure vector. This affects server-side JavaScript environments (likely Node.js) where the Diagram library's export functionality runs with filesystem access privileges.
RemediationAI
Upgrade to DHTMLX Diagram version 1.1.1 or later, which includes the vendor-released fix confirmed in the changelog at https://docs.dhtmlx.com/diagram/whats_new/#version-612. Organizations unable to immediately upgrade should implement compensating controls: disable the export module entirely if PDF generation is not business-critical (eliminates attack surface but removes functionality), restrict export functionality to authenticated users only with rate limiting (reduces exposure but does not prevent exploitation by authenticated attackers), or deploy input validation that blocks file:// protocol handlers and absolute filesystem paths in all user-supplied HTML attributes before passing data to the export module (requires custom validation logic and may break legitimate use cases if diagrams reference external resources). For defense in depth, run the export service in a restricted container or sandbox with minimal filesystem access limited to explicitly required directories (reduces blast radius but adds operational complexity and may impact performance). Review server logs for suspicious export requests containing file paths or file:// schemes to detect potential exploitation attempts during the vulnerability window.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30539
GHSA-hr7c-pw36-w99g