CVE-2026-30235— Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-30235
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Business Logic Error on OpenProject through hyperlinks in markdown using DOM clobbering
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenProject 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenProject是OpenProject开源的一个基于Web的项目管理软件。 OpenProject 17.2.0之前版本存在跨站脚本漏洞,该漏洞源于OpenProject的Markdown渲染验证不当,特别是在超链接处理中,可能导致攻击者注入执行DOM破坏的恶意超链接有效载荷,从而崩溃或清空整个页面。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| opf | openproject | < 17.2.0 | - |
II. Public POCs for CVE-2026-30235
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-30235
请登录查看更多情报信息。
Same Patch Batch · opf · 2026-03-11 · 5 CVEs total
| CVE-2026-30234 | 6.5 MEDIUM | OpenProject BIM BCF XML Import: <Snapshot> Path Traversal Leads to Arbitrary Local File Re |
| CVE-2026-30239 | 6.5 MEDIUM | OpenProject has a Permission Check bypass on Budget deletion allows reassignment of WorkPa |
| CVE-2026-30236 | 4.3 MEDIUM | OpenProject users that are not project members can be used to calculate Labor Budget, leak |
| CVE-2026-31974 | 3.0 LOW | Blind SSRF on OpenProject instance via webhooks |
IV. Related Vulnerabilities
Same product: openproject
- CVE-2026-40896
OpenProject has Cross-Project Meeting Agenda Item Injection - CVE-2026-33667
OpenProject: 2FA OTP Verification Missing Rate Limiting - CVE-2026-34717
OpenProject: SQL Injection in Cost Reporting =n Operator via - CVE-2026-32703
OpenProject's repository files are served with the MIME type - CVE-2026-32698
OpenProject has a SQL Injection via Custom Field Name that c
Same vendor: opf
- CVE-2026-40896
OpenProject has Cross-Project Meeting Agenda Item Injection - CVE-2026-33667
OpenProject: 2FA OTP Verification Missing Rate Limiting - CVE-2026-34717
OpenProject: SQL Injection in Cost Reporting =n Operator via - CVE-2026-32703
OpenProject's repository files are served with the MIME type - CVE-2026-32698
OpenProject has a SQL Injection via Custom Field Name that c
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-30235
No comments yet