Skip to main content

DHTMLX PDF Export Module CVE-2026-41552

| EUVDEUVD-2026-30538 CRITICAL
Path Traversal (CWE-22)
2026-05-15 CERT-PL GHSA-cj88-m5vv-89m3
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 15, 2026 - 14:02 EUVD
Analysis Generated
May 15, 2026 - 13:30 vuln.today
CVSS changed
May 15, 2026 - 13:22 NVD
9.2 (CRITICAL)
CVE Published
May 15, 2026 - 12:31 nvd
CRITICAL 9.2

DescriptionCVE.org

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF.

This issue was fixed in PDF Export Module version 0.7.6.

AnalysisAI

Path traversal in DHTMLX PDF Export Module (used by Gantt and Scheduler) allows remote unauthenticated attackers to read arbitrary local files from the server and embed them in generated PDFs. The vulnerability stems from insufficient HTML sanitization in the module's PDF generation process. CERT-PL reported this issue, and DHTMLX released version 0.7.6 to address it. No active exploitation confirmed by CISA KEV, but the low attack complexity and network attack vector make this a priority for organizations using affected Gantt or Scheduler deployments.

Technical ContextAI

The DHTMLX PDF Export Module is a server-side component used by DHTMLX Gantt and Scheduler products to generate PDF documents from project data and scheduling information. The vulnerability (CWE-22: Path Traversal) exists in the module's HTML-to-PDF conversion process, which fails to properly sanitize user-controlled HTML input before processing. When generating PDFs, the module interprets HTML payloads that can contain file path references using techniques like local file inclusion through img src, iframe, or object tags pointing to file:// URIs or relative paths. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates this is a network-accessible vulnerability with low attack complexity requiring no authentication or user interaction, enabling direct exploitation against the PDF export endpoint. The VC:H/SC:H scoring reflects high confidentiality impact on both the vulnerable system and subsequent systems, as attackers can exfiltrate sensitive files and potentially chain this with other vulnerabilities.

RemediationAI

Upgrade DHTMLX PDF Export Module to version 0.7.6 or later, which includes fixes for both the path traversal (CVE-2026-41552) and related remote code execution vulnerabilities per the vendor changelog at https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076. For DHTMLX Gantt and Scheduler products, consult vendor guidance to obtain updated package versions that bundle the patched module. If immediate patching is not feasible, implement compensating controls: (1) disable PDF export functionality entirely if not business-critical-this eliminates the attack surface but may disrupt user workflows; (2) restrict PDF generation endpoints to authenticated users only and validate user permissions-reduces exposure but does not prevent exploitation by authenticated attackers; (3) deploy web application firewall rules to block HTML payloads containing file:// URIs, ../ sequences, or common sensitive file paths like /etc/passwd-provides partial mitigation but can be bypassed with encoding or alternate syntax; (4) run the PDF export service in a sandboxed container with minimal filesystem access-limits file disclosure scope but requires infrastructure changes. These workarounds have operational trade-offs and should be considered temporary measures only.

Share

CVE-2026-41552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy