Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF.
This issue was fixed in PDF Export Module version 0.7.6.
AnalysisAI
Path traversal in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows remote unauthenticated attackers to read arbitrary local files from the server and embed them in generated PDFs. The vulnerability stems from insufficient HTML sanitization in the module's PDF generation process. CERT-PL reported this issue, and DHTMLX released version 0.7.6 to address it. No active exploitation confirmed by CISA KEV, but the low attack complexity and network attack vector make this a priority for organizations using affected Gantt or Scheduler deployments.
Technical ContextAI
The DHTMLX PDF Export Module is a server-side component used by DHTMLX Gantt and Scheduler products to generate PDF documents from project data and scheduling information. The vulnerability (CWE-22: Path Traversal) exists in the module's HTML-to-PDF conversion process, which fails to properly sanitize user-controlled HTML input before processing. When generating PDFs, the module interprets HTML payloads that can contain file path references using techniques like local file inclusion through img src, iframe, or object tags pointing to file:// URIs or relative paths. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates this is a network-accessible vulnerability with low attack complexity requiring no authentication or user interaction, enabling direct exploitation against the PDF export endpoint. The VC:H/SC:H scoring reflects high confidentiality impact on both the vulnerable system and subsequent systems, as attackers can exfiltrate sensitive files and potentially chain this with other vulnerabilities.
RemediationAI
Upgrade DHTMLX PDF Export Module to version 0.7.6 or later, which includes fixes for both the path traversal (CVE-2026-41552) and related remote code execution vulnerabilities per the vendor changelog at https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076. For DHTMLX Gantt and Scheduler products, consult vendor guidance to obtain updated package versions that bundle the patched module. If immediate patching is not feasible, implement compensating controls: (1) disable PDF export functionality entirely if not business-critical-this eliminates the attack surface but may disrupt user workflows; (2) restrict PDF generation endpoints to authenticated users only and validate user permissions-reduces exposure but does not prevent exploitation by authenticated attackers; (3) deploy web application firewall rules to block HTML payloads containing file:// URIs, ../ sequences, or common sensitive file paths like /etc/passwd-provides partial mitigation but can be bypassed with encoding or alternate syntax; (4) run the PDF export service in a sandboxed container with minimal filesystem access-limits file disclosure scope but requires infrastructure changes. These workarounds have operational trade-offs and should be considered temporary measures only.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30538
GHSA-cj88-m5vv-89m3