Unauthenticated Remote Code Execution Vulnerability in Penpot Open Source Design Tool
CVE-2026-45805
8.8HIGH
What is CVE-2026-45805?
Penpot is a collaborative open-source design tool that is vulnerable due to an improperly secured endpoint. Prior to version 2.15.0, the server's ReplServer was bound to 0.0.0.0:4403, exposing an unauthenticated /execute endpoint. This flaw enables any user on the network to execute arbitrary JavaScript on the server via the PluginBridge, posing a significant security risk. The issue has been addressed and resolved in version 2.15.0, and users are strongly advised to update their installations to mitigate potential threats.
Affected Version(s)
penpot < 2.15.0
