Remote Image Import Vulnerability in Penpot Design Tool
CVE-2026-45806

7.7HIGH

Key Information:

Vendor

Penpot

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-45806?

Penpot, an open-source design tool, is vulnerable due to improper handling of user-controlled URLs during remote image imports. Specifically, prior to version 2.15.0, the tool allowed authenticated users to exploit this vulnerability by accessing internal-only endpoints through the backend. This was possible because the URL was passed without sufficient filtering, leading to potential unauthorized actions within the system. Users are advised to upgrade to version 2.15.0 or later to mitigate this risk.

Affected Version(s)

penpot < 2.15.0

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.