CVE 9.2 CRITICAL

Path Traversal in Diagram_CVE-2026-7182

May 15, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf. This issue was fixed in version 1.1.1.

AI Analysis

Path Traversal vulnerability in Diagram's export module due to lack of HTML sanitization, allowing an unauthenticated user to craft an HTML payload and display local files from the server in the generated PDF.

Basic Information

ID CVE-2026-7182

Source CERT-PL

Published May 15, 2026 at 12:31

Modified May 15, 2026 at 13:20

Affected Product

Vendor DHTMLX

Product Diagram

Version 1.0.0

Affected Versions DHTMLX Diagram 1.0.0

CWE Classification

CWE-22

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor DHTMLX

Product Diagram

Version 1.0.0

References

{
    "lastseen": "",
    "description": "Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf. This issue was fixed in version 1.1.1.",
    "published": "2026-05-15T12:31:16.126Z",
    "modified": "2026-05-15T13:20:15.866Z",
    "type": "cve",
    "title": "Path Traversal in Diagram",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/05/CVE-2026-7182\nhttps://docs.dhtmlx.com/diagram/whats_new/#version-612\nhttps://dhtmlx.com/docs/products/dhtmlxDiagram/",
    "id": "CVE-2026-7182",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "DHTMLX Diagram 1.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Diagram",
    "version": "1.0.0",
    "vendor": "DHTMLX",
    "ai_description": "Path Traversal vulnerability in Diagram's export module due to lack of HTML sanitization, allowing an unauthenticated user to craft an HTML payload and display local files from the server in the generated PDF.",
    "ai_severity": "Critical",
    "ai_vendor": "DHTMLX",
    "ai_product": "Diagram",
    "ai_version": "1.0.0",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply