Volerion logoVolerion
Volerion logoVolerion

OpenProject DOM Clobbering Vulnerability via Malicious Hyperlinks in Markdown Rendering

Vulnerability

A vulnerability in OpenProject prior to version 17.2.0 allows for improper validation of Markdown rendering, particularly in hyperlink management. This flaw enables attackers to inject harmful hyperlink payloads that execute DOM clobbering, which can disrupt the entire page by overwriting essential DOM functions with HTML elements. Such interference causes critical JavaScript functions to generate runtime errors during the application's startup process, halting further execution.

Impact

Exploitation of this vulnerability can lead to DOM clobbering, causing the application to crash or display a blank page by overwriting native DOM functions with HTML elements. This disruption triggers runtime errors in crucial JavaScript calls during application initialization, stopping further execution and potentially causing significant user-facing issues.

Remediation

Users can upgrade to OpenProject version 17.2.0 or later to address this vulnerability.

Added: Mar 11, 2026, 5:24 PM
Updated: Mar 11, 2026, 5:24 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
0.6
exploitability
5.2
remediation
7.7
relevance
3.8
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.