Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
OpenProject: Malicious Links Can Crash Project Management Software
CVE-2026-30235
Summary
OpenProject, a popular project management tool, had a security issue that made it possible for hackers to inject malicious links. This could crash the application or make it stop working properly. OpenProject has fixed this issue in version 17.2.0, so make sure you update to this version or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| openproject | openproject | <= 17.2.0 | – |
Original title
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the ...
Original description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
nvd CVSS3.1
6.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026