Remote Image Import Vulnerability in Penpot Design Tool
CVE-2026-45806
7.7HIGH
What is CVE-2026-45806?
Penpot, an open-source design tool, is vulnerable due to improper handling of user-controlled URLs during remote image imports. Specifically, prior to version 2.15.0, the tool allowed authenticated users to exploit this vulnerability by accessing internal-only endpoints through the backend. This was possible because the URL was passed without sufficient filtering, leading to potential unauthorized actions within the system. Users are advised to upgrade to version 2.15.0 or later to mitigate this risk.
Affected Version(s)
penpot < 2.15.0
