CVE-2026-27131 MEDIUM

CVE-2026-27131: Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

Vendor Putyourlightson
Product craft-sprig
Weakness CWE-200 · Info exposure
Published March 23, 2026
Last update March 24, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.

Key dates

02Disclosure timeline

March 23, 2026 CVE published
March 24, 2026 Record updated