CVE-2026-27131

Name of the Vulnerable Software and Affected Versions Sprig Plugin for Craft CMS versions prior to 2.15.2 Sprig Plugin for Craft CMS versions prior to 3.15.2

Description The Sprig Plugin for Craft CMS allows admin users and those with Sprig Playground access to potentially reveal security keys, credentials, and other sensitive configuration data. The hashData() function can also be executed. This issue was addressed by disabling Sprig Playground access when devMode is disabled, with a configuration option (enablePlaygroundWhenDevModeDisabled) to override this behavior.

Recommendations Update to Sprig Plugin for Craft CMS version 2.15.2 or later. Update to Sprig Plugin for Craft CMS version 3.15.2 or later.