Unauthenticated Remote Code Execution Vulnerability in Penpot Open Source Design Tool
CVE-2026-45805

8.8HIGH

Key Information:

Vendor

Penpot

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45805?

Penpot is a collaborative open-source design tool that is vulnerable due to an improperly secured endpoint. Prior to version 2.15.0, the server's ReplServer was bound to 0.0.0.0:4403, exposing an unauthenticated /execute endpoint. This flaw enables any user on the network to execute arbitrary JavaScript on the server via the PluginBridge, posing a significant security risk. The issue has been addressed and resolved in version 2.15.0, and users are strongly advised to update their installations to mitigate potential threats.

Affected Version(s)

penpot < 2.15.0

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.