CVE-2026-30235 is a cross-site scripting vulnerability categorized under CWE-79 affecting OpenProject, an open-source web-based project management tool. The flaw exists in versions prior to 17.2.0 due to improper input validation during Markdown rendering, specifically in hyperlink handling. Attackers can craft malicious hyperlink payloads that exploit DOM clobbering, a technique where injected HTML elements overwrite native DOM functions. This manipulation causes critical JavaScript calls to throw runtime errors during the application's initialization phase, effectively crashing or blanking the entire page and halting further script execution. Unlike typical XSS attacks that may steal data or hijack sessions, this vulnerability primarily results in denial of service by disrupting the application's availability. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting availability only. There are no known exploits in the wild as of the published date. The vulnerability is resolved in OpenProject version 17.2.0 by correcting the Markdown hyperlink validation logic to prevent DOM clobbering.

The primary impact of this vulnerability is denial of service, as successful exploitation crashes or blanks the OpenProject web interface, preventing users from accessing project management functionalities. This disruption can affect team productivity, project tracking, and collaboration, especially in organizations relying heavily on OpenProject for daily operations. Since the vulnerability does not compromise confidentiality or integrity, sensitive data exposure or unauthorized modifications are not direct concerns. However, the loss of availability can have cascading effects, such as delayed project timelines and impaired communication. Attackers with network access and low privileges within the OpenProject environment can exploit this flaw without requiring user interaction, increasing the risk in multi-user or shared environments. Organizations using vulnerable versions may face operational interruptions until patched.

To mitigate this vulnerability, organizations should upgrade OpenProject to version 17.2.0 or later, where the issue is fixed. Until upgrading is possible, administrators can implement strict input validation and sanitization on Markdown content, particularly scrutinizing hyperlink inputs to prevent injection of malicious payloads. Employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts by restricting script execution sources. Monitoring application logs for unusual JavaScript errors or page crashes can aid in early detection of exploitation attempts. Limiting user privileges to the minimum necessary reduces the attack surface, as exploitation requires at least low privileges. Regularly reviewing and updating third-party dependencies and plugins associated with OpenProject can also prevent similar vulnerabilities. Finally, educating users about the risks of injecting untrusted Markdown content can reduce inadvertent exposure.