CVE-2026-27131

MEDIUM 5.5

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

8th

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.

CWE	CWE-200 CWE-489
Vendor	putyourlightson
Product	craft-sprig
Published	Mar 23, 2026
Last Updated	Mar 24, 2026

Stay Ahead of the Next One

Get instant alerts for putyourlightson craft-sprig

Be the first to know when new medium vulnerabilities affecting putyourlightson craft-sprig are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

putyourlightson / craft-sprig

>= 3.0.0, < 3.15.2 >= 2.0.0, < 2.15.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr github.com: https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b github.com: https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475