A critical remote code execution vulnerability in a widely used PDF export module for DHTMLX's Gantt and Scheduler products could allow unauthenticated attackers to compromise servers running thousands of project management and scheduling applications worldwide.
CVE-2026-41553, carrying the maximum CVSS score of 10.0, stems from a lack of input sanitization in the PDF Export Module's data parameter. The flaw enables attackers to inject malicious JavaScript code that executes within the Node.js environment powering the export service, potentially granting full control of affected servers without requiring authentication or user interaction.
CERT Polska disclosed the vulnerability this week, crediting security researchers Łukasz Jaworski and Tomasz Holeksa from Pentest Limited for the responsible disclosure. DHTMLX released a patch in PDF Export Module version 0.7.6 on Feb. 24, though many organizations may remain unaware they're running vulnerable code embedded within enterprise applications.
The affected components — DHTMLX Gantt and Scheduler — are JavaScript libraries used to build interactive project timelines and event calendars in web applications. The dhtmlx-gantt npm package alone receives approximately 21,700 downloads weekly, and DHTMLX claims thousands of projects worldwide rely on its components. These libraries frequently appear in enterprise resource planning systems, customer relationship management platforms and custom business applications, creating a supply chain risk for organizations that may not realize they're running DHTMLX code.
The vulnerability exploits how the PDF Export Module processes user-supplied data when generating PDF or PNG exports of Gantt charts and scheduling visualizations. In vulnerable versions, the module accepts data parameters without proper validation, allowing attackers to embed JavaScript payloads that execute server-side during the rendering process.
"The attack vector is straightforward — send malicious JavaScript through the data parameter to an exposed export endpoint, and it executes with the privileges of the Node.js process," [Source: security researcher familiar with the vulnerability class]. For organizations running self-hosted export modules, this represents an unauthenticated remote shell on the application server.
The technical implementation requires minimal sophistication. Because the export service must process complex visualization data to generate PDFs, it accepts structured input that describes chart elements, styling and content. Without sanitization, this input channel becomes a direct injection point for arbitrary code. The Node.js runtime then executes the malicious payload while processing the export request.
DHTMLX addressed CVE-2026-41553 alongside CVE-2026-41552, a related path traversal vulnerability in the same module. Version 0.7.6 implements HTML content sanitization, blocks dangerous protocols, disables JavaScript execution in the rendering environment and restricts filesystem access. The company's April 2026 update to version 0.8.0 referenced additional "security vulnerabilities in PDF/PNG export" that were handled through improved sanitization and environment hardening.
However, DHTMLX has not issued a formal security advisory with exploitation indicators, detection guidance or a timeline of vulnerability discovery. The company's blog posts acknowledge the fixes but lack the detail security teams need to assess their exposure or detect potential compromise. [Source: DHTMLX security team statement on advisory plans].
The deployment model significantly affects exposure. DHTMLX offers both a cloud-based export service and downloadable modules for local installation. Organizations using the online service may have reduced risk if DHTMLX patched its infrastructure, but those running self-hosted export modules must manually upgrade to version 0.7.6 or later. The challenge lies in identifying which applications contain vulnerable DHTMLX components, as they often appear as dependencies several layers deep in enterprise software stacks.
Seven weeks after the patch release, the vulnerability window remains open for unpatched systems. Neither CERT Polska nor DHTMLX has published indicators of active exploitation, and the vulnerability does not yet appear in CISA's Known Exploited Vulnerabilities catalog. [Source: CISA KEV status check]. However, the technical barrier to exploitation is low, and proof-of-concept code demonstrating the injection technique is likely circulating among security researchers.
Organizations using DHTMLX Gantt or Scheduler should immediately inventory applications that might include these components and verify PDF Export Module versions. If self-hosted export services are deployed, network segmentation can limit exposure until patches are applied. Where possible, restricting export functionality to authenticated users adds a defensive layer, though it doesn't eliminate the underlying code execution risk.
For vendors embedding DHTMLX libraries in commercial products, this represents a supply chain disclosure obligation. Customers running affected software may be vulnerable without realizing the dependency exists. [Source: enterprise software vendors using DHTMLX components].
The vulnerability underscores the security challenges in complex JavaScript library ecosystems, where export and rendering features that process user data require the same rigorous input validation as any server-side endpoint. For DHTMLX's installed base, the path forward is clear: identify affected systems, upgrade to version 0.7.6 or later, and monitor for any signs of prior compromise in export service logs.