Skip to content

penpot

v2.15.3 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 20d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

clojure clojurescript design prototyping ui ux-design
+1 more
ux-experience

ReleasePort's take

Light signal
editorial:auto 13d

Penpot 2.15.3 fixes Plugin API token method failures and sanitizes comment rendering and custom font family names.

Why it matters: Upgrade to Penpot 2.15.3 immediately to resolve the Plugin API schema validation bug and mitigate potential XSS risks from unsanitized comments or fonts.

Summary

AI summary

Fixed Plugin API token methods failing with schema validation error.

Changes in this release

Bugfix Medium

Fix Plugin API token methods failing with schema validation error on PRO.

Fix Plugin API token methods failing with schema validation error on PRO.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Sanitize comment content on rendering.

Sanitize comment content on rendering.

Source: llm_adapter@2026-05-21

Confidence: high
Bugfix Medium

Sanitize font family names on custom uploaded fonts.

Sanitize font family names on custom uploaded fonts.

Source: llm_adapter@2026-05-21

Confidence: high
Full changelog

:bug: Bugs fixed

Security Fixes

  • Sanitized comment content and font family names to prevent injection attacks
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track penpot

Get notified when new releases ship.

Sign up free

About penpot

Penpot: The open-source design tool for design and code collaboration

All releases →

Related context

Beta — feedback welcome: [email protected]