CVE-2026-41552
published 2026-05-15CVE-2026-41552: PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.50%
38.8th percentile
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include
local files from the server and display them in the generated PDF.
This issue was fixed in PDF Export Module version 0.7.6.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dhtmlx | pdf_export_module | >= 0.3.3 < 0.7.6 | 0.7.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
DHTMLX PDF Export Module up to 0.7.5 path traversal
vuldb·2026-05-15·CVSS 9.2
CVE-2026-41552 [CRITICAL] DHTMLX PDF Export Module up to 0.7.5 path traversal
A vulnerability categorized as critical has been discovered in DHTMLX PDF Export Module up to 0.7.5. Affected is an unknown function. The manipulation results in path traversal.
This vulnerability is identified as CVE-2026-41552. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-cj88-m5vv-89m3: PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization
ghsa_unreviewed·2026-05-15
CVE-2026-41552 [CRITICAL] CWE-22 GHSA-cj88-m5vv-89m3: PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include
local files from the server and display them in the generated PDF.
This issue was fixed in PDF Export Module version 0.7.6.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-15
Published