CVE-2026-30235

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 17:16

Updated : 2026-03-13 19:22

NVD link : CVE-2026-30235

Mitre link : CVE-2026-30235

CVE.ORG link : CVE-2026-30235

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-30235", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-03-11T17:16:57.470", "references": [{"url": "https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject\u2019s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0."}, {"lang": "es", "value": "OpenProject es un software de gesti\u00f3n de proyectos de c\u00f3digo abierto y basado en la web. Antes de la versi\u00f3n 17.2.0, esta vulnerabilidad ocurre debido a una validaci\u00f3n incorrecta del renderizado de Markdown de OpenProject, espec\u00edficamente en el manejo de hiperv\u00ednculos. Esto permite a un atacante inyectar cargas \u00fatiles de hiperv\u00ednculos maliciosos que realizan DOM clobbering. El DOM clobbering puede bloquear o dejar en blanco la p\u00e1gina completa al sobrescribir funciones DOM nativas con elementos HTML, causando que llamadas cr\u00edticas de JavaScript arrojen errores en tiempo de ejecuci\u00f3n durante la inicializaci\u00f3n de la aplicaci\u00f3n y detengan la ejecuci\u00f3n posterior. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 17.2.0."}], "lastModified": "2026-03-13T19:22:16.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4FB19C4D-0273-43F6-9AF6-3D30795D43BB", "versionEndExcluding": "17.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}