← back
CVE-2026-45806

Penpot: Authenticated SSRF in remote image import via create-file-media-object-from-url

CVSS 7.7 HIGHCWE-918
Vexday Risk Score
38Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
Exploit maturity
Proof of concept
Public proof of concept exists, but not yet automated.
CVSS 7.7EPSS KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
26 Jun 2026Public PoC
15 Jul 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Penpot is an open-source design tool for design and code collaboration. Prior to 2.15.0, Penpot's remote image import passed the user-controlled url from frontend/src/app/main/data/workspace/media.cljs into the backend RPC method :create-file-media-object-from-url in backend/src/app/rpc/commands/media.clj, where media/download-image in backend/src/app/media.clj used the shared HTTP client without destination filtering, allowing an authenticated file editor to reach internal-only endpoints. This issue is fixed in version 2.15.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products
penpot · penpot
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.