PT-2026-41296 · Dhtmlx · Pdf Export Module
CVSS v4.0
10
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
Name of the Vulnerable Software and Affected Versions
PDF Export Module versions prior to 0.7.6
Description
The PDF Export Module used in DHTMLX Gantt and Scheduler allows unauthenticated remote code execution. The issue stems from insufficient sanitization of the
data parameter. An attacker can inject malicious JavaScript code into this parameter, which is then processed and executed by Node.js, potentially leading to full server compromise.Recommendations
Update to version 0.7.6.
As a temporary workaround, restrict access to the
data parameter within the PDF Export Module to minimize the risk of exploitation.Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pdf Export Module