Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behavior using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
AnalysisAI
The Sprig Plugin for Craft CMS contains an information disclosure vulnerability that allows authenticated admin users and those with explicit Sprig Playground access to expose sensitive configuration data including security keys and credentials, as well as invoke the hashData() signing function. Affected versions include 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1, with patches released in versions 2.15.2 and 3.15.2 that disable the Sprig Playground by default when devMode is disabled. This is not currently tracked as an actively exploited vulnerability in public KEV databases, though proof-of-concept code may exist in the referenced GitHub security advisory and commits.
Technical ContextAI
Sprig is a reactive Twig component framework for Craft CMS that extends Craft's templating capabilities. The vulnerability stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and originates in the Sprig Playground feature—a development utility exposed via the Craft CMS admin interface. The affected CPE is cpe:2.3:a:putyourlightson:craft-sprig:*:*:*:*:*:*:*:*, confirming the vulnerability across multiple version lines of the putyourlightson craft-sprig product. The root cause is inadequate access controls on the Playground endpoint, which was accessible to high-privileged users even in production environments (when devMode is disabled), allowing exposure of cryptographic material and configuration objects that should only be accessible to backend processes.
RemediationAI
Upgrade the Sprig Plugin to version 2.15.2 or 3.15.2 or later, depending on your Craft CMS major version. These patched versions disable the Sprig Playground by default when devMode is disabled, eliminating the exposure vector. If immediate patching is not possible, enforce devMode disabled on production environments and restrict access to the Craft CMS admin panel to only trusted administrators. For organizations requiring development access in production-like environments, use the new enablePlaygroundWhenDevModeDisabled configuration option set to false (the default) to prevent accidental re-exposure. Monitor the GitHub security advisory at https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr for any follow-up guidance.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14515