CVE-2026-30235
Received Received - Intake
DOM Clobbering via Malicious Links in OpenProject Markdown

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30235
EUVD
EUVD-2026-11235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30235 is a moderate severity vulnerability in OpenProject versions prior to 17.2.0 caused by improper validation in the Markdown rendering, specifically in hyperlink handling.

This flaw allows attackers to inject malicious hyperlink payloads that exploit DOM clobbering, a technique where HTML elements overwrite native DOM functions.

As a result, critical JavaScript calls during application initialization throw runtime errors, causing the entire page to crash or become blank and halting further execution.

Impact Analysis

This vulnerability impacts the availability of the OpenProject application by causing the entire page to crash or become blank.

Because critical JavaScript calls fail during initialization, the application halts further execution, potentially disrupting project management activities.

The vulnerability does not impact confidentiality or integrity, but the denial of service can affect business operations relying on OpenProject.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenProject to version 17.2.0 or later, where the issue with improper Markdown hyperlink validation and DOM clobbering has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30235. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart