Full Report
CERT Polska has received a report about 3 vulnerabilities (CVE-2026-7182, CVE-2026-41552 and CVE-2026-41553) found in DHTMLX software.
Analysis Summary
# Vulnerability: Multiple Flaws in DHTMLX Diagram and PDF Export Modules
## CVE Details
- **CVE ID:** CVE-2026-7182, CVE-2026-41552, CVE-2026-41553
- **CVSS Score:** Not explicitly provided in source (Estimated High/Critical for CVE-2026-41553 due to RCE)
- **CWE:**
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- **Products:**
- DHTMLX Diagram (and its export module)
- DHTMLX PDF Export Module (used in Gantt and Scheduler products)
- **Versions:**
- Diagram: 1.0.0 through 1.1.1
- PDF Export Module: 0.3.3 through 0.7.6
- **Configurations:** Systems utilizing the PDF export functionality and the Node.js-based processing backend.
## Vulnerability Description
Three distinct vulnerabilities were identified within DHTMLX components:
1. **CVE-2026-7182 & CVE-2026-41552 (Path Traversal):** Both the Diagram and PDF Export modules fail to perform proper HTML sanitization on the `src` attribute. An unauthenticated attacker can submit a crafted HTML payload to include local server files, which are then rendered into the generated PDF file.
2. **CVE-2026-41553 (Remote Code Execution):** The PDF Export Module used by Gantt and Scheduler lacks sanitization for the `data` parameter. Because this value is processed by Node.js, an attacker can inject malicious JavaScript code that is executed on the server, leading to full system compromise.
## Exploitation
- **Status:** Reported via coordinated disclosure; PoC details are suggested in the technical description, but active "in the wild" exploitation is not confirmed in the report.
- **Complexity:** Low (requires crafting HTML/JavaScript payloads in export parameters).
- **Attack Vector:** Network (Unauthenticated remote access).
## Impact
- **Confidentiality:** High (Ability to read local server files via Path Traversal and full data access via RCE).
- **Integrity:** High (Ability to execute arbitrary code and modify server data via RCE).
- **Availability:** High (Potential for server shutdown or resource exhaustion via RCE).
## Remediation
### Patches
The vendor has released updates to address these flaws. Users should upgrade to the following versions:
- **DHTMLX Diagram:** Upgrade to version **1.1.1** or higher.
- **PDF Export Module:** Upgrade to version **0.7.6** or higher.
### Workarounds
- **Input Neutralization:** Implement server-side sanitization of all HTML fragments and `data` parameters passed to the DHTMLX export modules if an immediate upgrade is not possible.
- **Access Control:** Restrict access to the export API endpoints to trusted users/IPs only.
## Detection
- **Indicators of Compromise:**
- Unusual file path strings (e.g., `../../etc/passwd` or `C:\Windows\`) in web server logs associated with export requests.
- Unexpected Node.js process activity or outbound network connections from the export server.
- **Detection Methods:** Monitor POST requests sent to export modules for suspicious JavaScript syntax or directory traversal patterns in the `src` and `data` parameters.
## References
- **Vendor Advisory:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-7182
- **Vendor Advisory:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41552
- **Vendor Advisory:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41553
- **CERT Polska Advisory:** hxxps://cert[.]pl/en/posts/2026/05/vulnerabilities-in-dhtmlx/