CVE 9.2 CRITICAL

Path Traversal in PDF Export Module_CVE-2026-41552

May 15, 2026 invoker category_cve

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include
local files from the server and display them in the generated PDF.

This issue was fixed in PDF Export Module version 0.7.6.

AI Analysis

Path Traversal vulnerability in PDF Export Module due to lack of HTML sanitization, allowing an unauthenticated user to craft an HTML payload and display local files from the server in the generated PDF.

Basic Information

ID CVE-2026-41552

Source CERT-PL

Published May 15, 2026 at 12:31

Modified May 15, 2026 at 13:14

Affected Product

Vendor DHTMLX

Product PDF Export Module

Version 0.3.3

Affected Versions DHTMLX PDF Export Module 0.3.3

CWE Classification

CWE-22

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor DHTMLX

Product PDF Export Module

Version 0.3.3

References

{
    "lastseen": "",
    "description": "PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to\u00a0Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include\n local files from the server and display them in the generated PDF.  \n\nThis issue was fixed in PDF Export Module version 0.7.6.",
    "published": "2026-05-15T12:31:21.791Z",
    "modified": "2026-05-15T13:14:32.252Z",
    "type": "cve",
    "title": "Path Traversal in PDF Export Module",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/05/CVE-2026-7182\nhttps://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities",
    "id": "CVE-2026-41552",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "DHTMLX PDF Export Module 0.3.3",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PDF Export Module",
    "version": "0.3.3",
    "vendor": "DHTMLX",
    "ai_description": "Path Traversal vulnerability in PDF Export Module due to lack of HTML sanitization, allowing an unauthenticated user to craft an HTML payload and display local files from the server in the generated PDF.",
    "ai_severity": "Critical",
    "ai_vendor": "DHTMLX",
    "ai_product": "PDF Export Module",
    "ai_version": "0.3.3",
    "ai_score": 9.2
}

💭 Join the Security Discussion ❌ Cancel Reply