Cyber Resilience

CVE-2026-41553

CriticalRCE

Published: 15 May 2026

Published
15 May 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41553 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dhtmlx Pdf Export Module. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization. An unauthenticated attacker can inject the malicious JavaScript code to the parameter whose value is processed by…

more

Node.js and subsequently executed. This can lead to server compromise. This issue was fixed in PDF Export Module version 0.7.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Direct unauthenticated RCE via unsanitized parameter in public-facing Node.js PDF export module enables T1190 and server-side JS execution via T1059.007.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9645Shared CWE-78
CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78

Affected Assets

dhtmlx
pdf export module
≤ 0.7.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References