Description

The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the `hashData()` signing function. This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when `devMode` is disabled, by default. It is possible to override this behavior using a new `enablePlaygroundWhenDevModeDisabled` that defaults to `false`.

INFO

Published Date :

2026-03-23T19:04:37.417Z

Last Modified :

2026-03-24T14:09:08.984Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27131 vulnerability.

Vendors Products
Putyourlightson
  • Craft-sprig
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27131.

URL Resource
https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b cve-icon cve-icon
https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475 cve-icon cve-icon
https://github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact