CVE-2026-41552 DHTMLX CVE debrief

Who should care

Organizations using DHTMLX Gantt or Scheduler with PDF Export Module versions 0.3.3 through 0.7.5; development teams implementing server-side PDF generation from HTML content; security teams monitoring for path traversal vulnerabilities in document processing pipelines

Technical summary

The PDF Export Module in DHTMLX Gantt and Scheduler products fails to properly sanitize HTML content during PDF generation. An unauthenticated attacker can craft a malicious HTML payload containing file inclusion directives that the PDF generation process resolves against the server's local filesystem. The rendered PDF then contains the contents of arbitrary files readable by the service account. This represents a classic path traversal vulnerability (CWE-22) where user-controlled input influences filesystem operations without adequate validation or sanitization. The vulnerability is particularly severe given the unauthenticated attack vector and the common deployment pattern of PDF export services with access to sensitive configuration files.

Defensive priority

critical

Recommended defensive actions

• Upgrade DHTMLX PDF Export Module to version 0.7.6 or later
• Review PDF generation endpoints for unauthorized access patterns
• Audit server file access logs for anomalous read operations from PDF export processes
• Implement network segmentation to limit PDF export service exposure
• Validate HTML input sanitization in custom PDF generation implementations

Evidence notes

CVE published 2026-05-15; NVD analysis completed 2026-05-19. CERT.PL advisory confirms vulnerability details. DHTMLX release notes document fix in version 0.7.6. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, high confidentiality impact to vulnerable system, and high confidentiality impact to subsequent systems.

Official resources