CVE-2026-27131
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Summary
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behavior using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| putyourlightson | craft-sprig | >= 3.0.0, < 3.15.2 | affected |
| putyourlightson | craft-sprig | >= 2.0.0, < 2.15.2 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-489: CWE-489: Active Debug Code
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr
- https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b
- https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.