Skip to main content

Craft Sprig CVE-2026-27131

| EUVDEUVD-2026-14515 MEDIUM
Information Exposure (CWE-200)
2026-03-23 GitHub_M
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 19:30 euvd
EUVD-2026-14515
Analysis Generated
Mar 23, 2026 - 19:30 vuln.today
CVE Published
Mar 23, 2026 - 19:04 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behavior using a new enablePlaygroundWhenDevModeDisabled that defaults to false.

AnalysisAI

The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.

Technical ContextAI

Sprig is a reactive Twig component framework for Craft CMS that extends Craft's templating capabilities. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and originates in the Sprig Playground feature—a development utility exposed via the Craft CMS admin interface. The affected CPE is cpe:2.3:a:putyourlightson:craft-sprig:*:*:*:*:*:*:*:*, confirming the vulnerability across multiple version lines of the putyourlightson craft-sprig product. The root cause is inadequate access controls on the Playground endpoint, which was accessible to high-privileged users even in production environments (when devMode is disabled), allowing exposure of cryptographic material and configuration objects that should only be accessible to backend processes.

RemediationAI

Upgrade the Sprig Plugin to version 2.15.2 or 3.15.2 or later, depending on your Craft CMS major version. These patched versions disable the Sprig Playground by default when devMode is disabled, eliminating the exposure vector. If immediate patching is not possible, enforce devMode disabled on production environments and restrict access to the Craft CMS admin panel to only trusted administrators. For organizations requiring development access in production-like environments, use the new enablePlaygroundWhenDevModeDisabled configuration option set to false (the default) to prevent accidental re-exposure. Monitor the GitHub security advisory at https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr for any follow-up guidance.

Share

CVE-2026-27131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy