CVE-2026-41552

HIGH

Path Traversal in PDF Export Module

Title source: cna

Description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF. This issue was fixed in PDF Export Module version 0.7.6.

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://cert.pl/en/posts/2026/05/CVE-2026-7182

Release Notes release-notes

https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities

Scores

CVSS v3 7.5

EPSS 0.0050

EPSS Percentile 38.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

DHTMLX/PDF Export Module 0.3.3 - 0.7.6

dhtmlx/pdf_export_module 0.3.3 - 0.7.6

Published May 15, 2026

Tracked Since May 15, 2026