CVE-2026-41552
7.5 HIGHPDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization
Published: 2026-05-15 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-22
Affected products
| Vendor | Product |
|---|---|
| dhtmlx | pdf_export_module |
Description
PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF. This issue was fixed in PDF Export Module version 0.7.6.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-41553 — PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sa... (10.0 CRITICAL)
Same CWE
- CVE-2026-47368 — A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to ob... (8.6 HIGH)
- CVE-2026-45171 — Incomplete input validation and improperly configured folder permissions within Idira Privileged Session Manager (PSM) versions prior to ...
- CVE-2025-24268 — A parsing issue in the handling of directory paths was addressed with improved path validation (5.5 MEDIUM)
- CVE-2026-49982 — tmp is a temporary file and directory creator for node.js (8.2 HIGH)
- CVE-2026-44705 — tmp is a temporary file and directory creator for node.js