A vulnerability was found in Penpot up to 2.14.x. It has been classified as problematic. This affects the function create-file-media-object-from-url of the file frontend/src/app/main/data/workspace/media.cljs of the component Image Import. Performing a manipulation of the argument url results in information disclosure.

This vulnerability was named CVE-2026-45806. The attack may be initiated remotely. There is no available exploit.