ctipilot.ch

DHTMLX Diagram export module — path traversal (CVSS 4.0 score 9.2)

cve · CVE-2026-7182

Coverage timeline
1
first 2026-05-17 → last 2026-05-17
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
0
Co-occurring entities
3
see Related entities below

Story timeline

  1. 2026-05-17CTI Daily Brief — 2026-05-17

Source distribution

  • cert.pl1 (50%)
  • euvd.enisa.europa.eu1 (50%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about DHTMLX Diagram export module — path traversal (CVSS 4.0 score 9.2) (1)

CVE-2026-41553 — DHTMLX PDF Export Module: unauthenticated server-side JavaScript injection RCE (CVSS 4.0 score 10.0), with CVE-2026-41552 and CVE-2026-7182 path-traversal companions

From CTI Daily Brief — 2026-05-17 · published 2026-05-17 · view item permalink →

CERT Polska disclosed three coordinated vulnerabilities in DHTMLX (Dinamika Web) JavaScript scheduling and diagram libraries on 2026-05-15 (CERT-PL, 2026-05-15; ENISA EUVD EUVD-2026-30537). The critical finding, CVE-2026-41553, is an unauthenticated RCE in the self-hosted DHTMLX PDF Export Module (a Node.js service that backs Gantt/Scheduler PDF generation). CERT-PL verbatim: "PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of data parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise." ENISA EUVD records the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H — score 10.0. Mapped to T1190 Exploit Public-Facing Application + T1059.007 JavaScript with a server-side-execution twist (Node.js eval-equivalent). The companion CVE-2026-41552 (CVSS 4.0 score 9.2) is an unauthenticated local file inclusion in the same Gantt/Scheduler PDF export; CVE-2026-7182 (CVSS 4.0 score 9.2) is a path traversal in DHTMLX Diagram's export module (CERT-PL ties the src HTML attribute specifically to this Diagram CVE; affects versions before 1.1.1). Fixes: PDF Export Module 0.7.6 closes CVE-2026-41552 and CVE-2026-41553; Diagram 1.1.1 closes CVE-2026-7182. Why it matters to us: DHTMLX Gantt/Scheduler/Diagram are widely OEM-embedded in EU e-Government project-management portals, healthcare scheduling stacks, and municipal infrastructure-planning tools — the export module is often deployed on a separate internal host that operators forget about. EPSS at disclosure is 0.39 with no known exploitation, but a CVSS-10.0 unauthenticated RCE in a server-side Node.js component will be scanned for shortly. Defenders should enumerate exposed instances of the PDF Export Module endpoint, restrict its reachability to internal trusted origins, apply egress filtering on the Node.js process, and patch immediately. Detection concepts: alert on Node.js worker processes spawning child processes; web-server access logs containing data= parameters with JavaScript syntax (e.g. process., require(, child_process); outbound connections from the PDF export host outside normal callback patterns.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-41225 F5 BIG-IP / BIG-IQ (iControl REST) 8.6 (v4) / 9.1 (v3.1) n/a No No Yes (May 2026 Quarterly) F5 K000160932
CVE-2026-41553 DHTMLX PDF Export Module (Gantt / Scheduler) 10.0 (CVSS 4.0) 0.39 No No Yes (0.7.6) CERT-PL
CVE-2026-41552 DHTMLX PDF Export Module — path traversal 9.2 (CVSS 4.0) n/a No No Yes (0.7.6) CERT-PL
CVE-2026-7182 DHTMLX Diagram — export module path traversal 9.2 (CVSS 4.0) n/a No No Yes (1.1.1) CERT-PL
CVE-2026-44088 KIR SzafirHost — JAR zip-polyglot bypass 8.6 n/a No No Yes (1.2.1) CERT-PL