CVE-2026-41553: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in DHTMLX PDF Export Module
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.
AI Analysis
Technical Summary
CVE-2026-41553 is an OS Command Injection vulnerability in the DHTMLX PDF Export Module used by DHTMLX Gantt and Scheduler products. The vulnerability arises from improper neutralization of special elements in the 'data' parameter, which is processed by Node.js without adequate sanitization. An unauthenticated attacker can exploit this flaw to execute arbitrary code on the server, resulting in remote code execution. The vulnerability is rated critical with a CVSS 4.0 base score of 10.0. The vendor fixed the issue in version 0.7.6 of the PDF Export Module.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the server hosting the vulnerable PDF Export Module, leading to potential full server compromise. This can result in unauthorized access, data theft, or further attacks originating from the compromised server.
Mitigation Recommendations
Upgrade the DHTMLX PDF Export Module to version 0.7.6 or later, where this vulnerability has been fixed. Since the vulnerability is in a non-cloud product, users must apply this update themselves. Patch status is confirmed by the vendor's fix in version 0.7.6. Until upgraded, avoid exposing the vulnerable module to untrusted inputs or networks.
CVE-2026-41553: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in DHTMLX PDF Export Module
Description
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41553 is an OS Command Injection vulnerability in the DHTMLX PDF Export Module used by DHTMLX Gantt and Scheduler products. The vulnerability arises from improper neutralization of special elements in the 'data' parameter, which is processed by Node.js without adequate sanitization. An unauthenticated attacker can exploit this flaw to execute arbitrary code on the server, resulting in remote code execution. The vulnerability is rated critical with a CVSS 4.0 base score of 10.0. The vendor fixed the issue in version 0.7.6 of the PDF Export Module.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code on the server hosting the vulnerable PDF Export Module, leading to potential full server compromise. This can result in unauthorized access, data theft, or further attacks originating from the compromised server.
Mitigation Recommendations
Upgrade the DHTMLX PDF Export Module to version 0.7.6 or later, where this vulnerability has been fixed. Since the vulnerability is in a non-cloud product, users must apply this update themselves. Patch status is confirmed by the vendor's fix in version 0.7.6. Until upgraded, avoid exposing the vulnerable module to untrusted inputs or networks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-21T12:09:57.293Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a071a5fec166c07b0467579
Added to database: 5/15/2026, 1:06:39 PM
Last enriched: 5/15/2026, 1:21:41 PM
Last updated: 5/15/2026, 4:07:41 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.