Skip to content

penpot

v2.15.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 1d Developer Productivity
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

clojure clojurescript design prototyping ui ux-design
+1 more
ux-experience

Affected surfaces

auth

Summary

AI summary

Updates bug: Bugs fixed, https://github.com/penpot/penpot/pull/9722, and https://github.com/penpot/penpot/issues/9723 across a mixed release.

Changes in this release

Feature Medium

Add rate limiting and concurrency safety for file snapshot operations

Add rate limiting and concurrency safety for file snapshot operations

Source: llm_adapter@2026-06-02

Confidence: high
Feature Medium

Prevent concurrent font uploads from causing excessive simultaneous requests

Prevent concurrent font uploads from causing excessive simultaneous requests

Source: llm_adapter@2026-06-02

Confidence: high
Feature Medium

Emit `create-shape-layout` event for flex/grid layout creation from plugins and MCP

Emit `create-shape-layout` event for flex/grid layout creation from plugins and MCP

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix High

Fix broken authentication on /assets handlers

Fix broken authentication on /assets handlers

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Fix API doc endpoint returning HTML as text/plain

Fix API doc endpoint returning HTML as text/plain

Source: llm_adapter@2026-06-02

Confidence: high
Bugfix Medium

Fix unexpected error when opening the export dialog

Fix unexpected error when opening the export dialog

Source: llm_adapter@2026-06-02

Confidence: high
Full changelog

:sparkles: New features & Enhancements

  • Add rate limiting and concurrency safety for file snapshot operations #9723 (PR: #9722)
  • Prevent concurrent font uploads from causing excessive simultaneous requests #9922 (PR: #9921)

:bug: Bugs fixed

  • Emit create-shape-layout for flex/grid layout creation from plugins and MCP (same event as workspace) #9652 (PR: #9654)
  • Fix broken authentication on /assets handlers #9677 (PR: #9679)
  • Fix API doc endpoint returning HTML as text/plain #9680 (PR: #9681)
  • Fix unexpected error when opening the export dialog #9721 (PR: #9704)

Security Fixes

  • Fix broken authentication on /assets handlers
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track penpot

Get notified when new releases ship.

Sign up free

About penpot

Penpot: The open-source design tool for design and code collaboration

All releases →

Related context

Beta — feedback welcome: [email protected]