Path Traversal Vulnerability in DHTMLX's Gantt and Scheduler PDF Export Module
CVE-2026-41552

9.2CRITICAL

Key Information:

Vendor: Dhtmlx
Status: PDF Export Module
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-41552?

The PDF Export Module in DHTMLX's Gantt and Scheduler products presents a path traversal vulnerability due to insufficient HTML sanitization. This flaw allows unauthenticated users to manipulate the HTML payload, potentially exposing local server files in the generated PDF documents. The issue was addressed in PDF Export Module version 0.7.6, enhancing security measures against unauthorized file access.

Affected Version(s)

PDF Export Module 0.3.3 < 0.7.6

References

https://cert.pl/en/posts/2026/05/CVE-2026-7182

third-party-advisory

https://docs.dhtmlx.com/gantt/guides/pdf-export-module-wh...

release-notes

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Łukasz Jaworski (Pentest Limited)

Tomasz Holeksa (Pentest Limited)

CVE-2026-41552 Data

JSON

Dhtmlx

What is CVE-2026-41552?

Affected Version(s)

References

CVSS V4

Timeline

Credit