CVE-2026-30235

OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openproject:openproject:*:*:*:*:*:*:*:*

History

13 Mar 2026, 19:22

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openproject:openproject::::::::
Summary		(es) OpenProject es un software de gestión de proyectos de código abierto y basado en la web. Antes de la versión 17.2.0, esta vulnerabilidad ocurre debido a una validación incorrecta del renderizado de Markdown de OpenProject, específicamente en el manejo de hipervínculos. Esto permite a un atacante inyectar cargas útiles de hipervínculos maliciosos que realizan DOM clobbering. El DOM clobbering puede bloquear o dejar en blanco la página completa al sobrescribir funciones DOM nativas con elementos HTML, causando que llamadas críticas de JavaScript arrojen errores en tiempo de ejecución durante la inicialización de la aplicación y detengan la ejecución posterior. Esta vulnerabilidad está corregida en la versión 17.2.0.
References	~~() https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8 -~~	() https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8 - Vendor Advisory
First Time		Openproject openproject Openproject

11 Mar 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 17:16

Updated : 2026-03-13 19:22

NVD link : CVE-2026-30235

Mitre link : CVE-2026-30235

CVE.ORG link : CVE-2026-30235

JSON object : View

Products Affected

openproject

openproject

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.5 /10