CVEFinder.io

CVE-2026-7182

🔶 medium
🔍 Scan for this CVE
Summary

Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated pdf. This issue was fixed in version 1.1.1.

CVSS Score
-
EPSS Score
0.1
Exploit Probability
Published Date
2026-05-15
First Seen: 2026-05-17
🎯 CISA SSVC Assessment Updated: May 15, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Łukasz Jaworski (Pentest Limited) Tomasz Holeksa (Pentest Limited)
SSVC data provided by CISA
Last Modified 2026-05-15
Source NVD 🔗
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-22

📦 Affected Products 0

No affected products information available

🔗 References 3

https://cert.pl/en/posts/2026/05/CVE-2026-7182
https://dhtmlx.com/docs/products/dhtmlxDiagram/
https://docs.dhtmlx.com/diagram/whats_new/#version-612