Skip to main content

DHTMLX Diagram CVE-2026-7182

| EUVDEUVD-2026-30539 CRITICAL
Path Traversal (CWE-22)
2026-05-15 CERT-PL GHSA-hr7c-pw36-w99g
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 15, 2026 - 14:02 EUVD
Analysis Generated
May 15, 2026 - 13:30 vuln.today
CVSS changed
May 15, 2026 - 13:22 NVD
9.2 (CRITICAL)
CVE Published
May 15, 2026 - 12:31 nvd
CRITICAL 9.2

DescriptionCVE.org

Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf.

This issue was fixed in version 1.1.1.

AnalysisAI

Path traversal in DHTMLX Diagram's export module allows remote unauthenticated attackers to exfiltrate local server files through crafted HTML payloads in the src attribute. The vulnerability exposes high-value server-side information (CVSS VC:H, SC:H) by embedding local files into generated PDFs without requiring authentication (PR:N) or user interaction (UI:N). DHTMLX released a fix in version 1.1.1, confirmed by CERT-PL advisory and vendor changelog.

Technical ContextAI

DHTMLX Diagram is a JavaScript diagramming library (cpe:2.3:a:dhtmlx:diagram) that includes server-side PDF export functionality. The vulnerability exists in the export module's HTML processing where user-supplied src attributes are not sanitized before server-side rendering. This is a classic CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) flaw. When the export module processes diagram data containing HTML elements with file:// or absolute path references in src attributes, it resolves these paths on the server filesystem rather than treating them as untrusted content. The rendered PDF then embeds the contents of these local files, effectively weaponizing the PDF generation feature as a file disclosure vector. This affects server-side JavaScript environments (likely Node.js) where the Diagram library's export functionality runs with filesystem access privileges.

RemediationAI

Upgrade to DHTMLX Diagram version 1.1.1 or later, which includes the vendor-released fix confirmed in the changelog at https://docs.dhtmlx.com/diagram/whats_new/#version-612. Organizations unable to immediately upgrade should implement compensating controls: disable the export module entirely if PDF generation is not business-critical (eliminates attack surface but removes functionality), restrict export functionality to authenticated users only with rate limiting (reduces exposure but does not prevent exploitation by authenticated attackers), or deploy input validation that blocks file:// protocol handlers and absolute filesystem paths in all user-supplied HTML attributes before passing data to the export module (requires custom validation logic and may break legitimate use cases if diagrams reference external resources). For defense in depth, run the export service in a restricted container or sandbox with minimal filesystem access limited to explicitly required directories (reduces blast radius but adds operational complexity and may impact performance). Review server logs for suspicious export requests containing file paths or file:// schemes to detect potential exploitation attempts during the vulnerability window.

Share

CVE-2026-7182 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy