Description
OpenProject is an open-source, web-based project management software. Prior to 17.2.0, this vulnerability occurs due to improper validation of OpenProject’s Markdown rendering, specifically in the hyperlink handling. This allows an attacker to inject malicious hyperlink payloads that perform DOM clobbering. DOM clobbering can crash or blank the entire page by overwriting native DOM functions with HTML elements, causing critical JavaScript calls to throw runtime errors during application initialization and halt further execution. This vulnerability is fixed in 17.2.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/opf/openproject/security/advisories/GHSA-9rv2-9xv5-gpq8
Scores
CVSS v3
6.5
EPSS
0.0032
EPSS Percentile
23.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
openproject/openproject
< 17.2.0
Published
Mar 11, 2026
Tracked Since
Mar 12, 2026