Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-41553 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-41553 | CVSS 10.0 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-41553 is a critical remote code execution vulnerability in the DHTMLX PDF Export Module, a component used across DHTMLX's Gantt and Scheduler products, caused by insufficient sanitization of the "data" parameter.

Technical Detail

The vulnerability stems from a failure to sanitize user-supplied input passed through the "data" parameter in the PDF Export Module, allowing an unauthenticated attacker to inject malicious content that results in server-side code execution. Because no authentication is required to trigger the flaw, the attack surface is exposed to any network-accessible instance of the affected module. Successful exploitation grants an attacker arbitrary code execution in the context of the server process, which could lead to full system compromise, data exfiltration, or lateral movement within the hosting environment.

Exploitation Status

No known exploit has been publicly documented or observed in the wild as of May 22, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of confirmed exploitation, the unauthenticated attack vector and maximum CVSS score of 10.0 make this a high-priority candidate for weaponization.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence sources.

What To Do

Organizations using DHTMLX Gantt or Scheduler with the PDF Export Module should apply vendor-supplied patches immediately upon availability and treat this as a critical priority given the unauthenticated RCE potential. If a patch is not yet available, consider disabling or restricting access to the PDF export functionality at the network or application layer until a fix is confirmed. Defenders should monitor server-side process execution logs for anomalous child processes spawned by the web application or PDF rendering service. Input validation controls at the web application firewall layer targeting the "data" parameter may provide partial mitigation but should not be treated as a substitute for patching.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →