CVE-2026-30235
Received Received - Intake
DOM Clobbering via Malicious Links in OpenProject Markdown

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30235
EUVD
EUVD-2026-11235
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openproject openproject to 17.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-30235 is a moderate severity vulnerability in OpenProject versions prior to 17.2.0 caused by improper validation in the Markdown rendering, specifically in hyperlink handling.

This flaw allows attackers to inject malicious hyperlink payloads that exploit DOM clobbering, a technique where HTML elements overwrite native DOM functions.

As a result, critical JavaScript calls during application initialization throw runtime errors, causing the entire page to crash or become blank and halting further execution.


How can this vulnerability impact me? :

This vulnerability impacts the availability of the OpenProject application by causing the entire page to crash or become blank.

Because critical JavaScript calls fail during initialization, the application halts further execution, potentially disrupting project management activities.

The vulnerability does not impact confidentiality or integrity, but the denial of service can affect business operations relying on OpenProject.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade OpenProject to version 17.2.0 or later, where the issue with improper Markdown hyperlink validation and DOM clobbering has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart