CVE-2026-27131
MEDIUM
5,5
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none
Description
AI Translation Available
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.
200
Exposure of Sensitive Information to an Unauthorized Actor
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Application Data
Applicable Platforms
Technologies:
Mobile, Not Technology-Specific, Web Based
489
Active Debug Code
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Integrity
Availability
Access Control
Other
Potential Impacts:
Bypass Protection Mechanism
Read Application Data
Gain Privileges Or Assume Identity
Varies By Context
Applicable Platforms
Technologies:
ICS/OT, Not Technology-Specific
https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390…
https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3…
https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42…